📘 Module 1: Defining Cyber, Security, and Cybersecurity Policy

🔍 What is Cyber?
Refers to the interconnected digital world, encompassing the internet, networks, and information
systems.​

🛡️ What is Security?
The practice of protecting systems and data from unauthorized access, ensuring confidentiality,
integrity, and availability.​

🧩 Demystifying the Cybersecurity Problem

Understanding the complexity and multifaceted nature of cybersecurity challenges.​

🌐 The Threat Landscape

Overview of current cyber threats, including malware, phishing, and advanced persistent threats
(APTs).​

🧠 Practical Questions
Encourages critical thinking about cybersecurity scenarios and policies.​

🌍 Module 2: Evolution of the Internet

🧪 Academic Inspiration and a World-Changing Idea
The genesis of the internet from academic research initiatives.​

🏛️ Government Support and Prototyping

Role of government in funding and developing early internet prototypes.​

🏢 Private Sector Support and Moving the Internet Out of the Lab
Transition of internet technologies from research labs to commercial applications.​

🌐 Building the World Wide Web

Development of the WWW, enabling global information sharing.​

🌏 The Internet as a Global Commons

Understanding the internet as a shared resource and the implications for governance.​

🛰️ Module 3: Global Telecommunications Architecture and

Governance
📦 How Data Moves: Encapsulation
Process of wrapping data with necessary protocol information for transmission.​

🧱 OSI Model Layers

Detailed exploration of the seven layers: Physical, Data Link, Network, Transport, Session,
Presentation, and Application.​

🏛️ What is Governance?
Mechanisms and policies that regulate internet operations and standards.​

🌐 Governing the Internet

Roles of organizations like ICANN and IETF in managing internet resources and protocols.​

🕵️‍♂️ Module 4: Threat Actors and Their Motivations

👤 Threat Actors: Who Are the Hackers?
Identification of various entities involved in cyber threats, including individuals and groups.​

🎮 Hobbyists
Individuals experimenting with hacking for learning or personal challenge.​

💰 Criminal Organizations
Groups engaging in cybercrime for financial gain.​

🎭 Hacktivists
Hackers driven by political or social motivations.​

🏴‍☠️ Advanced Persistent Threats (APTs)

State-sponsored or highly organized groups conducting prolonged cyber attacks.​

🛠️ Module 5: The Hacking Process

🔄 Hacking as a Process
Understanding hacking as a structured methodology rather than random acts.​

🔍 Reconnaissance
Gathering information about targets to identify vulnerabilities.​

🧰 Weaponization
 Developing or selecting tools to exploit identified vulnerabilities.​

📤 Delivery
Transmitting the exploit to the target system.​

💥 Exploitation and Installation

Executing the exploit and establishing a foothold in the system.​

📡 Command and Control

Maintaining communication with compromised systems to issue commands.​

🎯 Effects
Actions taken post-compromise, such as data exfiltration or system disruption.​

🎯 Module 6: End Effects - Direct and Indirect Consequences

🧠 Framing Effects
How the presentation of information influences perception and decision-making in cybersecurity.​

⚠️ Primary Effects

Immediate impacts of cyber incidents, such as data breaches or service outages.​

🔄 Secondary Effects
Subsequent consequences, including reputational damage and financial loss.​

🌐 Second-Level Effects
Broader implications, such as changes in policy, public trust, and international relations.
 United States Government Accountability Office

GAO Testimony
Before the Subcommittee on Oversight,
Investigations, and Management,
Committee on Homeland Security, House
of Representatives
CYBERSECURITY
For Release on Delivery
Expected at 2:00 p.m. EDT
Tuesday, April 24, 2012

Threats Impacting the

Nation
Statement of Gregory C. Wilshusen, Director
Information Security Issues

GAO-12-666T
 April 24, 2012

CYBERSECURITY
Threats Impacting the Nation

Highlights of GAO-12-666T, a testimony

before the Subcommittee on Oversight,
Investigations, and Management, Committee
on Homeland Security, House of
Representatives

Why GAO Did This Study What GAO Found

Nearly every aspect of American The nation faces an evolving array of cyber-based threats arising from a variety
society increasingly depends upon of sources. These threats can be intentional or unintentional. Unintentional
information technology systems and threats can be caused by software upgrades or defective equipment that
networks. This includes increasing inadvertently disrupt systems, and intentional threats can be both targeted and
computer interconnectivity, particularly untargeted attacks from a variety of threat sources. Sources of threats include
through the widespread use of the criminal groups, hackers, terrorists, organization insiders, and foreign nations
Internet as a medium of engaged in crime, political activism, or espionage and information warfare. These
communication and commerce. While threat sources vary in terms of the capabilities of the actors, their willingness to
providing significant benefits, this
act, and their motives, which can include monetary gain or political advantage,
increased interconnectivity can also
among others. Moreover, potential threat actors have a variety of attack
create vulnerabilities to cyber-based
threats. Pervasive and sustained cyber
techniques at their disposal, which can adversely affect computers, software, a
attacks against the United States could network, an organization’s operation, an industry, or the Internet itself. The
have a potentially devastating impact nature of cyber attacks can vastly enhance their reach and impact due to the fact
on federal and nonfederal systems, that attackers do not need to be physically close to their victims and can more
disrupting the operations of easily remain anonymous, among other things. The magnitude of the threat is
governments and businesses and the compounded by the ever-increasing sophistication of cyber attack techniques,
lives of private individuals. Accordingly, such as attacks that may combine multiple techniques. Using these techniques,
GAO has designated federal threat actors may target individuals, businesses, critical infrastructures, or
information security as a government organizations.
governmentwide high-risk area since
1997, and in 2003 expanded it to The threat posed by cyber attacks is heightened by vulnerabilities in federal
include protecting systems and assets systems and systems supporting critical infrastructure. Specifically, significant
vital to the nation (referred to as critical weaknesses in information security controls continue to threaten the
infrastructures). confidentiality, integrity, and availability of critical information and information
systems supporting the operations, assets, and personnel of federal government
GAO is providing a statement that agencies. For example, 18 of 24 major federal agencies have reported
describes (1) cyber threats facing the inadequate information security controls for financial reporting for fiscal year
nation’s systems, (2) vulnerabilities 2011, and inspectors general at 22 of these agencies identified information
present in federal information systems
security as a major management challenge for their agency. Moreover, GAO,
and systems supporting critical
agency, and inspector general assessments of information security controls
infrastructure, and (3) reported cyber
incidents and their impacts. In during fiscal year 2011 revealed that most major agencies had weaknesses in
preparing this statement, GAO relied most major categories of information system controls. In addition, GAO has
on previously published work in these identified vulnerabilities in systems that monitor and control sensitive processes
areas and reviewed more recent GAO, and physical functions supporting the nation’s critical infrastructures. These and
agency, and inspectors general work, similar weaknesses can be exploited by threat actors, with potentially severe
as well as reports on security incidents. effects.

What GAO Recommends The number of cybersecurity incidents reported by federal agencies continues to
rise, and recent incidents illustrate that these pose serious risk. Over the past 6
GAO has previously made years, the number of incidents reported by federal agencies to the federal
recommendations to resolve identified information security incident center has increased by nearly 680 percent. These
significant control deficiencies. incidents include unauthorized access to systems; improper use of computing
resources; and the installation of malicious software, among others. Reported
attacks and unintentional incidents involving federal, private, and infrastructure
systems demonstrate that the impact of a serious attack could be significant,
including loss of personal or sensitive information, disruption or destruction of
View GAO-12-666T. For more information,
contact Gregory C. Wilshusen at (202) 512- critical infrastructure, and damage to national and economic security.
6244 or wilshuseng@gao.gov.

United States Government Accountability Office

Chairman McCaul, Ranking Member Keating, and Members of the
Subcommittee:

Thank you for the opportunity to testify at today’s hearing on the cyber-
based threats facing our nation.

The increasing dependency upon information technology (IT) systems

and networked operations pervades nearly every aspect of our society. In
particular, increasing computer interconnectivity—most notably growth in
the use of the Internet—has revolutionized the way that our government,
our nation, and much of the world communicate and conduct business.
While bringing significant benefits, this dependency can also create
vulnerabilities to cyber-based threats. Pervasive and sustained cyber
attacks against the United States could have a potentially devastating
impact on federal and nonfederal systems and operations. In January
2012, the Director of National Intelligence testified that such threats pose
a critical national and economic security concern. 1 These growing and
evolving threats can potentially affect all segments of our society—
individuals; private businesses; local, state, and federal governments; and
other entities. Underscoring the importance of this issue, we have
designated federal information security as a high-risk area since 1997
and in 2003 expanded this area to include protecting computerized
systems supporting our nation’s critical infrastructure. 2

In my testimony today, I will describe (1) cyber threats facing the nation’s
systems, (2) vulnerabilities present in federal systems and systems
supporting critical infrastructure, 3 and (3) reported cyber incidents and
their impacts. In preparing this statement in April 2012, we relied on our
previous work in these areas. (Please see the related GAO products in
appendix I.) These products contain detailed overviews of the scope and
methodology we used. We also reviewed more recent agency, inspector

1
James R. Clapper, Director of National Intelligence, Unclassified Statement for the
Record on the Worldwide Threat Assessment of the US Intelligence Community for the
Senate Select Committee on Intelligence (January 31, 2012).
2
See, most recently, GAO, High-Risk Series: An Update, GAO-11-278 (Washington, D.C.:
February 2011).
3
Critical infrastructures are systems and assets, whether physical or virtual, so vital to our
nation that their incapacity or destruction would have a debilitating impact on national
security, economic well-being, public health or safety, or any combination of these.

Page 1 GAO-12-666T Cyber Threats

 general, and GAO assessments of security vulnerabilities at federal
agencies and information on security incidents from the U.S. Computer
Emergency Readiness Team (US-CERT), media reports, and other
publicly available sources. The work on which this statement is based
was conducted in accordance with generally accepted government
auditing standards. Those standards require that we plan and perform
audits to obtain sufficient, appropriate evidence to provide a reasonable
basis for our findings and conclusions based on our audit objectives. We
believe that the evidence obtained provided a reasonable basis for our
findings and conclusions based on our audit objectives.

As computer technology has advanced, both government and private

Background entities have become increasingly dependent on computerized
information systems to carry out operations and to process, maintain, and
report essential information. Public and private organizations rely on
computer systems to transmit sensitive and proprietary information,
develop and maintain intellectual capital, conduct operations, process
business transactions, transfer funds, and deliver services. In addition,
the Internet has grown increasingly important to American business and
consumers, serving as a medium for hundreds of billions of dollars of
commerce each year, as well as developing into an extended information
and communications infrastructure supporting vital services such as
power distribution, health care, law enforcement, and national defense.

Consequently, the security of these systems and networks is essential to

protecting national and economic security, public health and safety, and
the flow of commerce. Conversely, ineffective information security
controls can result in significant risks, including

• loss or theft of resources, such as federal payments and collections;

• inappropriate access to and disclosure, modification, or destruction of
sensitive information, such as national security information, personal
taxpayer information, or proprietary business information;
• disruption of critical operations supporting critical infrastructure,
national defense, or emergency services;
• undermining of agency missions due to embarrassing incidents that
erode the public’s confidence in government; and
• use of computer resources for unauthorized purposes or to launch
attacks on other computers systems.

Page 2 GAO-12-666T Cyber Threats

 Cyber-based threats are evolving and growing and arise from a wide
The Nation Faces an array of sources. These threats can be unintentional or intentional.
Evolving Array of Unintentional threats can be caused by software upgrades or defective
equipment that inadvertently disrupt systems. Intentional threats include
Cyber-Based Threats both targeted and untargeted attacks from a variety of sources, including
criminal groups, hackers, disgruntled employees, foreign nations engaged
in espionage and information warfare, and terrorists. These threat
sources vary in terms of the capabilities of the actors, their willingness to
act, and their motives, which can include monetary gain or political
advantage, among others. Table 1 shows common sources of cyber
threats.

Table 1: Sources of Cybersecurity Threats

Threat source Description

Bot-network operators Bot-net operators use a network, or bot-net, of compromised, remotely controlled systems to
coordinate attacks and to distribute phishing schemes, spam, and malware attacks. The services of
these networks are sometimes made available on underground markets (e.g., purchasing a denial-
of-service attack or services to relay spam or phishing attacks).
Criminal groups Criminal groups seek to attack systems for monetary gain. Specifically, organized criminal groups
use spam, phishing, and spyware/malware to commit identity theft, online fraud, and computer
extortion. International corporate spies and criminal organizations also pose a threat to the United
States through their ability to conduct industrial espionage and large-scale monetary theft and to
hire or develop hacker talent.
Hackers Hackers break into networks for the thrill of the challenge, bragging rights in the hacker community,
revenge, stalking, monetary gain, and political activism, among other reasons. While gaining
unauthorized access once required a fair amount of skill or computer knowledge, hackers can now
download attack scripts and protocols from the Internet and launch them against victim sites. Thus,
while attack tools have become more sophisticated, they have also become easier to use.
According to the Central Intelligence Agency, the large majority of hackers do not have the requisite
expertise to threaten difficult targets such as critical U.S. networks. Nevertheless, the worldwide
population of hackers poses a relatively high threat of an isolated or brief disruption causing serious
damage.
Insiders The disgruntled organization insider is a principal source of computer crime. Insiders may not need
a great deal of knowledge about computer intrusions because their knowledge of a target system
often allows them to gain unrestricted access to cause damage to the system or to steal system
data. The insider threat includes contractors hired by the organization, as well as careless or poorly
trained employees who may inadvertently introduce malware into systems.
Nations Nations use cyber tools as part of their information-gathering and espionage activities. In addition,
several nations are aggressively working to develop information warfare doctrine, programs, and
capabilities. Such capabilities enable a single entity to have a significant and serious impact by
disrupting the supply, communications, and economic infrastructures that support military power—
impacts that could affect the daily lives of citizens across the country. In his January 2012
testimony, the Director of National Intelligence stated that, among state actors, China and Russia
are of particular concern.
Phishers Individuals or small groups execute phishing schemes in an attempt to steal identities or
information for monetary gain. Phishers may also use spam and spyware or malware to accomplish
their objectives.

Page 3 GAO-12-666T Cyber Threats

Threat source Description
Spammers Individuals or organizations distribute unsolicited e-mail with hidden or false information in order to
sell products, conduct phishing schemes, distribute spyware or malware, or attack organizations
(e.g., a denial of service).
Spyware or malware authors Individuals or organizations with malicious intent carry out attacks against users by producing and
distributing spyware and malware. Several destructive computer viruses and worms have harmed
files and hard drives, including the Melissa Macro Virus, the Explore.Zip worm, the CIH (Chernobyl)
Virus, Nimda, Code Red, Slammer, and Blaster.
Terrorists Terrorists seek to destroy, incapacitate, or exploit critical infrastructures in order to threaten national
security, cause mass casualties, weaken the economy, and damage public morale and confidence.
Terrorists may use phishing schemes or spyware/malware in order to generate funds or gather
sensitive information.
Source: GAO analysis based on data from the Director of National Intelligence, Department of Justice, Central Intelligence Agency, and
the Software Engineering Institute’s CERT® Coordination Center.

These sources of cyber threats make use of various techniques, or

exploits, that may adversely affect computers, software, a network, an
organization’s operation, an industry, or the Internet itself. Table 2
provides descriptions of common types of cyber exploits.

Table 2: Types of Cyber Exploits

Type of exploit Description

Cross-site scripting An attack that uses third-party web resources to run script within the victim’s web browser
or scriptable application. This occurs when a browser visits a malicious website or clicks a
malicious link. The most dangerous consequences occur when this method is used to
exploit additional vulnerabilities that may permit an attacker to steal cookies (data
exchanged between a web server and a browser), log key strokes, capture screen shots,
discover and collect network information, and remotely access and control the victim’s
machine.
Denial-of-service An attack that prevents or impairs the authorized use of networks, systems, or
applications by exhausting resources.
Distributed denial-of-service A variant of the denial-of-service attack that uses numerous hosts to perform the attack.
Logic bombs A piece of programming code intentionally inserted into a software system that will cause
a malicious function to occur when one or more specified conditions are met.
Phishing A digital form of social engineering that uses authentic-looking, but fake, e-mails to
request information from users or direct them to a fake website that requests information.
Passive wiretapping The monitoring or recording of data, such as passwords transmitted in clear text, while
they are being transmitted over a communications link. This is done without altering or
affecting the data.
Structured Query Language (SQL) An attack that involves the alteration of a database search in a web-based application,
injection which can be used to obtain unauthorized access to sensitive information in a database.
Trojan horse A computer program that appears to have a useful function, but also has a hidden and
potentially malicious function that evades security mechanisms by, for example,
masquerading as a useful program that a user would likely execute.

Page 4 GAO-12-666T Cyber Threats

Type of exploit Description
Virus A computer program that can copy itself and infect a computer without the permission or
knowledge of the user. A virus might corrupt or delete data on a computer, use e-mail
programs to spread itself to other computers, or even erase everything on a hard disk.
Unlike a computer worm, a virus requires human involvement (usually unwitting) to
propagate.
War driving The method of driving through cities and neighborhoods with a wireless-equipped
computer– sometimes with a powerful antenna–searching for unsecured wireless
networks.
Worm A self-replicating, self-propagating, self-contained program that uses network mechanisms
to spread itself. Unlike computer viruses, worms do not require human involvement to
propagate.
Zero-day exploit An exploit that takes advantage of a security vulnerability previously unknown to the
general public. In many cases, the exploit code is written by the same person who
discovered the vulnerability. By writing an exploit for the previously unknown vulnerability,
the attacker creates a potent threat since the compressed timeframe between public
discoveries of both makes it difficult to defend against.
Source: GAO analysis of data from the National Institute of Standards and Technology, United States Computer Emergency Readiness
Team, and industry reports.

The unique nature of cyber-based attacks can vastly enhance their reach
and impact. For example, cyber attackers do not need to be physically
close to their victims, technology allows attacks to easily cross state and
national borders, attacks can be carried out at high speed and directed at
a number of victims simultaneously, and cyber attackers can more easily
remain anonymous. Moreover, the use of these and other techniques is
becoming more sophisticated, with attackers using multiple or “blended”
approaches that combine two or more techniques. Using these
techniques, threat actors may target individuals, resulting in loss of
privacy or identity theft; businesses, resulting in the compromise of
proprietary information or intellectual capital; critical infrastructures,
resulting in their disruption or destruction; or government agencies,
resulting in the loss of sensitive information and damage to economic and
national security.

Page 5 GAO-12-666T Cyber Threats

 Significant weaknesses in information security controls continue to
Systems Supporting threaten the confidentiality, integrity, and availability of critical information
Federal Operations and information systems used to support the operations, assets, and
personnel of federal agencies. For example, in their performance and
and Critical accountability reports and annual financial reports for fiscal year 2011, 18
Infrastructure Are of 24 major federal agencies 4 indicated that inadequate information
Vulnerable to Cyber security controls were either material weaknesses or significant
deficiencies 5 for financial reporting purposes. In addition, inspectors
Attacks general at 22 of the major agencies identified information security or
information system control as a major management challenge for their
agency.

Agency, inspectors general, and GAO assessments of information

security controls during fiscal year 2011 revealed that most major federal
agencies had weaknesses in most of the five major categories of
information system controls: (1) access controls, which ensure that only
authorized individuals can read, alter, or delete data; (2) configuration
management controls, which provide assurance that only authorized
software programs are implemented; (3) segregation of duties, which
reduces the risk that one individual can independently perform
inappropriate actions without detection; (4) continuity of operations
planning, which helps avoid significant disruptions in computer-dependent
operations; and (5) agencywide information security programs, which
provide a framework for ensuring that risks are understood and that
effective controls are selected and implemented. Figure 1 shows the

4
The 24 major departments and agencies are the Departments of Agriculture, Commerce,
Defense, Education, Energy, Health and Human Services, Homeland Security, Housing
and Urban Development, the Interior, Justice, Labor, State, Transportation, the Treasury,
and Veterans Affairs; the Environmental Protection Agency, General Services
Administration, National Aeronautics and Space Administration, National Science
Foundation, Nuclear Regulatory Commission, Office of Personnel Management, Small
Business Administration, Social Security Administration, and U.S. Agency for International
Development.
5
A material weakness is a deficiency, or a combination of deficiencies, in internal control
such that there is a reasonable possibility that a material misstatement of the entity’s
financial statements will not be prevented, or detected and corrected on a timely basis. A
significant deficiency is a deficiency, or a combination of deficiencies, in internal control
that is less severe than a material weakness, yet important enough to merit attention by
those charged with governance. A control deficiency exists when the design or operation
of a control does not allow management or employees, in the normal course of performing
their assigned functions, to prevent, or detect and correct, misstatements on a timely
basis.

Page 6 GAO-12-666T Cyber Threats

number of agencies that had vulnerabilities in these five information
security control categories.

Figure 1: Information Security Weaknesses at 24 Major Federal Agencies in Fiscal

Year 2011

Over the past several years, we and agency inspectors general have
made hundreds of recommendations to resolve similar previously
identified significant control deficiencies. We have also recommended
that agencies fully implement comprehensive, agencywide information
security programs, including by correcting weaknesses in specific areas
of their programs. The effective implementation of these
recommendations will strengthen the security posture at these agencies.

In addition, securing the control systems that monitor and control

sensitive processes and physical functions supporting many of our
nation’s critical infrastructures is a national priority, and we have identified
vulnerabilities in these systems. For example, in September 2007, we
reported that critical infrastructure control systems faced increasing risks
due to cyber threats, system vulnerabilities, and the serious potential

Page 7 GAO-12-666T Cyber Threats

impact of possible attacks. 6 Specifically, we determined that critical
infrastructure owners faced both technical and organizational challenges
to securing control systems, such as limited processing capabilities and
developing compelling business cases for investing in control systems
security, among others. We further identified federal initiatives under way
to help secure these control systems, but noted that more needed to be
done to coordinate these efforts and address shortfalls. We made
recommendations to the Department of Homeland Security to develop a
strategy for coordinating control systems security efforts and enhance
information sharing with relevant stakeholders. Since this report, the
department formed the Industrial Control Systems Cyber Emergency
Response Team to provide industrial control system stakeholders with
situational awareness and analytical support to effectively manage risk. In
addition, it has taken several actions, such as developing a catalog of
recommended security practices for control systems, developing a
cybersecurity evaluation tool that allows asset owners to assess their
control systems and overall security posture, and collaborating with
others to promote control standards and system security. We have not
evaluated these activities to assess their effectiveness in improving the
security of control systems against cyber threats.

In May 2008, we reported that the Tennessee Valley Authority’s (TVA)

corporate network contained security weaknesses that could lead to the
disruption of control systems networks and devices connected to that
network. 7 We made 19 recommendations to improve the implementation
of information security program activities for the control systems
governing TVA’s critical infrastructures and 73 recommendations to
address weaknesses in information security controls. TVA concurred with
the recommendations and has taken steps to implement them.

In addition to those present in federal systems and systems supporting

critical infrastructure, vulnerabilities in mobile computing devices used by
individuals or organizations may provide openings to cyber threats. For
example, consumers and federal agencies are increasing their use of
mobile devices to communicate and access services over the Internet.

6
GAO, Critical Infrastructure Protection: Multiple Efforts to Secure Control Systems Are
Under Way, but Challenges Remain, GAO-07-1036 (Washington, D.C.: Sept. 10, 2007).
7
GAO, Information Security: TVA Needs to Address Weaknesses in Control Systems and
Networks, GAO-08-526 (Washington, D.C.: May 21, 2008).

Page 8 GAO-12-666T Cyber Threats

 The use of these devices offers many benefits including ease of sending
and checking messages and remotely accessing information online;
however, it can also introduce information security risks if not properly
protected. We have ongoing work to determine (1) what common security
threats and vulnerabilities affect generally available cellphones,
smartphones, and tablets; (2) what security features and practices have
been identified to mitigate the risks associated with these vulnerabilities;
and (3) the extent to which government and private entities are
addressing security vulnerabilities of mobile devices.

Federal agencies have reported increasing numbers of security incidents

Number of that placed sensitive information at risk, with potentially serious impacts
Cybersecurity on federal operations, assets, and people. When incidents occur,
agencies are to notify the federal information security incident center—
Incidents Reported by US-CERT. Over the past 6 years, the number of incidents reported by
Federal Agencies federal agencies to US-CERT has increased from 5,503 incidents in fiscal
Continues to Rise, year 2006 to 42,887 incidents in fiscal year 2011, an increase of nearly
680 percent (see fig. 2). 8
and Recent Incidents
Illustrate Serious Risk

8
According to US-CERT, the growth in the number of incidents is attributable, in part, to
agencies improving detection and reporting of security incidents on their respective
networks.

Page 9 GAO-12-666T Cyber Threats

Figure 2: Incidents Reported to US-CERT: Fiscal Years 2006-
2011

Agencies reported the types of incidents and events based on US-CERT-

defined categories. As indicated in figure 3, the two most prevalent types
of incidents and events reported to US-CERT during fiscal year 2011
were unconfirmed incidents under investigation and malicious code.

Page 10 GAO-12-666T Cyber Threats

Figure 3: Types of Incidents Reported to US-CERT in Fiscal Year 2011 by
Category

Reported attacks and unintentional incidents involving federal, private,

and critical infrastructure systems demonstrate that the impact of a
serious attack could be significant. These agencies and organizations
have experienced a wide range of incidents involving data loss or theft,
computer intrusions, and privacy breaches, underscoring the need for
improved security practices. The following examples from news media
and other public sources illustrate that a broad array of information and
assets remain at risk.

• In April 2012, hackers breached a server at the Utah Department of

Health to access thousands of Medicaid records. Included in the
breach were Medicaid recipients and clients of the Children’s Health
Insurance Plan. About 280,000 people had their Social Security
numbers exposed. In addition, another 350,000 people listed in the
eligibility inquiries may have had other sensitive data stolen, including
names, birth dates, and addresses.
• In March 2012, it was reported that a security breach at Global
Payments, a firm that processed payments for Visa and Mastercard,
could compromise the credit- and debit-card information of millions of
Americans. Subsequent to the reported breach, the company’s stock

Page 11 GAO-12-666T Cyber Threats

 fell more than 9 percent before trading in its stock was halted. Visa
also removed the company from its list of approved processors.
• In February 2012, the inspector general at the National Aeronautics
and Space Administration testified that an unencrypted notebook
computer had been stolen from the agency in March 2011. The theft
resulted in the loss of the algorithms used to command and control
the International Space Station.
• In March 2012, a news wire service reported that the senior
commander of the North Atlantic Treaty Organization (NATO) had
been the target of repeated cyber attacks using the social networking
website Facebook that were believed to have originated in China.
According to the article, hackers repeatedly tried to dupe those close
to the commander by setting up fake Facebook accounts in his name
in the hope that his acquaintances would make contact and answer
private messages, potentially divulging sensitive information about the
commander or themselves.
• In March 2012, it was reported that Blue Cross Blue Shield of
Tennessee paid out a settlement of $1.5 million to the U.S.
Department of Health and Human Services arising from potential
violations stemming from the theft of 57 unencrypted computer hard
drives that contained protected health information of over 1 million
individuals.
• In January 2012, the Department of Commerce discovered that the
computer network of the department’s Economic Development
Administration (EDA) was hit with a virus, forcing EDA to disable e-
mail services and Internet access pending investigation into the cause
and scope of the problem, which persisted for over 12 weeks.
• In June 2011, a major bank reported that hackers had broken into its
systems and gained access to the personal information of hundreds of
thousands of customers. Through the bank’s online banking system,
the attackers were able to view certain private customer information.
• Citi reissued over 200,000 cards after a May 2011 website breach.
About 360,000 of its approximately 23.5 million North American card
accounts were affected, resulting in the potential for misuse of
cardholder personal information.
• In April 2011, Sony disclosed that it suffered a massive breach in its
video game online network that led to the theft of personal
information, including the names, addresses, and possibly credit card
data belonging to 77 million user accounts.
• In February 2011, media reports stated that computer hackers had
broken into and stolen proprietary information worth millions of dollars
from the networks of six U.S. and European energy companies.
• In July 2010, a sophisticated computer attack, known as Stuxnet, was
discovered. It targeted control systems used to operate industrial

Page 12 GAO-12-666T Cyber Threats

 processes in the energy, nuclear, and other critical sectors, reportedly
causing physical damage. It is designed to exploit a combination of
vulnerabilities to gain access to its target and modify code to change
the process.
• A retailer reported in May 2011 that it had suffered a breach of its
customers’ card data. The company discovered tampering with the
personal identification number (PIN) pads at its checkout lanes in
stores across 20 states.
• In August 2006, two circulation pumps at Unit 3 of the Browns Ferry,
Alabama, nuclear power plant failed, forcing the unit to be shut down
manually. The failure of the pumps was traced to excessive traffic on
the control system network, possibly caused by the failure of another
control system device.
These incidents illustrate the serious impact that cyber threats can have
on federal agency operations, the operations of critical infrastructures,
and the security of sensitive personal and financial information.

In summary, the cyber-threats facing the nation are evolving and growing,
with a wide array of potential threat actors having access to increasingly
sophisticated techniques for exploiting system vulnerabilities. The danger
posed by these threats is heightened by the weaknesses that continue to
exist in federal information systems and systems supporting critical
infrastructures. Ensuring the security of these systems is critical to
avoiding potentially devastating impacts, including loss, disclosure, or
modification of personal or sensitive information; disruption or destruction
of critical infrastructure; and damage to our national and economic
security.

Chairman McCaul, Ranking Member Keating, and Members of the

Subcommittee, this concludes my statement. I would be happy to answer
any questions you have at this time.

If you have any questions regarding this statement, please contact

Contact and Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov. Other
Acknowledgments key contributors to this statement include Michael Gilmore and Anjalique
Lawrence (Assistant Directors), Kristi C. Dorsey, and Lee A. McCracken.

Page 13 GAO-12-666T Cyber Threats

Appendix I: Related GAO Products
Appendix I: Related GAO Products

Management Report: Improvements Needed in SEC’s Internal Controls

and Accounting Procedures. GAO-12-424R. Washington, D.C.: April 13,
2012.

IT Supply Chain: National Security-Related Agencies Need to Better

Address Risks. GAO-12-361. Washington, D.C.: March 23, 2012.

Information Security: IRS Needs to Further Enhance Internal Control over

Financial Reporting and Taxpayer Data. GAO-12-393. Washington, D.C.:
March 16, 2012.

Cybersecurity: Challenges in Securing the Modernized Electricity Grid.

GAO-12-507T. Washington, D.C.: February 28, 2012.

Critical Infrastructure Protection: Cybersecurity Guidance Is Available, but

More Can Be Done to Promote Its Use. GAO-12-92. Washington, D.C.:
December 9, 2011.

Cybersecurity Human Capital: Initiatives Need Better Planning and

Coordination. GAO-12-8. Washington, D.C.: November 29, 2011.

Information Security: Additional Guidance Needed to Address Cloud

Computing Concerns. GAO-12-130T. Washington, D.C.: October 6, 2011.

Information Security: Weaknesses Continue Amid New Federal Efforts to

Implement Requirements. GAO-12-137. Washington, D.C.: October 3,
2011.

Personal ID Verification: Agencies Should Set a Higher Priority on Using

the Capabilities of Standardized Identification Cards. GAO-11-751.
Washington, D.C.: September 20, 2011.

Information Security: FDIC Has Made Progress, but Further Actions Are
Needed to Protect Financial Data. GAO-11-708. Washington, D.C.:
August 12, 2011.

Cybersecurity: Continued Attention Needed to Protect Our Nation’s

Critical Infrastructure. GAO-11-865T. Washington, D.C.: July 26, 2011.

Defense Department Cyber Efforts: DOD Faces Challenges in Its Cyber

Activities. GAO-11-75. Washington, D.C.: July 25, 2011.

Page 14 GAO-12-666T Cyber Threats

Appendix I: Related GAO Products

Information Security: State Has Taken Steps to Implement a Continuous

Monitoring Application, but Key Challenges Remain. GAO-11-149.
Washington, D.C.: July 8, 2011.

Social Media: Federal Agencies Need Policies and Procedures for

Managing and Protecting Information They Access and Disseminate.
GAO-11-605. Washington, D.C.: Jun 28, 2011.

Cybersecurity: Continued Attention Needed to Protect Our Nation’s

Critical Infrastructure and Federal Information Systems. GAO-11-463T.
Washington, D.C.: March 16, 2011.

High-Risk Series: An Update. GAO-11-278. Washington, D.C.: February

2011.

Electricity Grid Modernization: Progress Being Made on Cybersecurity

Guidelines, but Key Challenges Remain to be Addressed. GAO-11-117.
Washington, D.C.: January 12, 2011.

Information Security: Federal Agencies Have Taken Steps to Secure

Wireless Networks, but Further Actions Can Mitigate Risk. GAO-11-43.
Washington, D.C.: November 30, 2010.

Cyberspace Policy: Executive Branch Is Making Progress Implementing

2009 Policy Review Recommendations, but Sustained Leadership Is
Needed. GAO-11-24. Washington, D.C.: October 6, 2010.

Information Security: Progress Made on Harmonizing Policies and

Guidance for National Security and Non-National Security Systems.
GAO-10-916. Washington, D.C.: September 15, 2010.

Information Management: Challenges in Federal Agencies’ Use of Web

2.0 Technologies. GAO-10-872T. Washington, D.C.: July 22, 2010.

Critical Infrastructure Protection: Key Private and Public Cyber

Expectations Need to Be Consistently Addressed. GAO-10-628.
Washington, D.C.: July 15, 2010.

Cyberspace: United States Faces Challenges in Addressing Global

Cybersecurity and Governance. GAO-10-606. Washington, D.C.: July 2,
2010.

Page 15 GAO-12-666T Cyber Threats

 Appendix I: Related GAO Products

Cybersecurity: Continued Attention Is Needed to Protect Federal

Information Systems from Evolving Threats. GAO-10-834T. Washington,
D.C.: June 16, 2010.

Cybersecurity: Key Challenges Need to Be Addressed to Improve

Research and Development. GAO-10-466. Washington, D.C.: June 3,
2010.

Information Security: Federal Guidance Needed to Address Control

Issues with Implementing Cloud Computing. GAO-10-513. Washington,
D.C.: May 27, 2010.

Information Security: Agencies Need to Implement Federal Desktop Core

Configuration Requirements. GAO-10-202. Washington, D.C.: March 12,
2010.

Information Security: Concerted Effort Needed to Consolidate and Secure

Internet Connections at Federal Agencies. GAO-10-237. Washington,
D.C.: March 12, 2010.

Cybersecurity: Progress Made but Challenges Remain in Defining and

Coordinating the Comprehensive National Initiative. GAO-10-338.
Washington, D.C.: March 5, 2010.

National Cybersecurity Strategy: Key Improvements Are Needed to

Strengthen the Nation’s Posture. GAO-09-432T. Washington, D.C.:
March 10, 2009.

Information Security: TVA Needs to Address Weaknesses in Control

Systems and Networks. GAO-08-526. Washington, D.C.: May 21, 2008.

Critical Infrastructure Protection: Multiple Efforts to Secure Control

Systems Are Under Way, but Challenges Remain. GAO-07-1036.
Washington, D.C.: September 10, 2007.

(311087)
Page 16 GAO-12-666T Cyber Threats
This is a work of the U.S. government and is not subject to copyright protection in the
United States. The published product may be reproduced and distributed in its entirety
without further permission from GAO. However, because this work may contain
copyrighted images or other material, permission from the copyright holder may be
necessary if you wish to reproduce this material separately.
GAO’s Mission The Government Accountability Office, the audit, evaluation, and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding decisions.
GAO’s commitment to good government is reflected in its core values of
accountability, integrity, and reliability.

The fastest and easiest way to obtain copies of GAO documents at no

Obtaining Copies of cost is through GAO’s website (www.gao.gov). Each weekday afternoon,
GAO Reports and GAO posts on its website newly released reports, testimony, and
correspondence. To have GAO e-mail you a list of newly posted products,
Testimony go to www.gao.gov and select “E-mail Updates.”

Order by Phone The price of each GAO publication reflects GAO’s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO’s website,
http://www.gao.gov/ordering.htm.
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional information.
Connect with GAO on Facebook, Flickr, Twitter, and YouTube.
Connect with GAO Subscribe to our RSS Feeds or E-mail Updates. Listen to our Podcasts.
Visit GAO on the web at www.gao.gov.
Contact:
To Report Fraud,
Waste, and Abuse in Website: www.gao.gov/fraudnet/fraudnet.htm
E-mail: fraudnet@gao.gov
Federal Programs Automated answering system: (800) 424-5454 or (202) 512-7470

Katherine Siggerud, Managing Director, siggerudk@gao.gov, (202) 512-

Congressional 4400, U.S. Government Accountability Office, 441 G Street NW, Room
Relations 7125, Washington, DC 20548

Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800

Public Affairs U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, DC 20548

Please Print on Recycled Paper.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

AT THE NEXUS OF CYBERSECURITY

AND PUBLIC POLICY
Some Basic Concepts and Issues

David Clark, Thomas Berson, and Herbert S. Lin, Editors

Committee on Developing a Cybersecurity Primer:

Leveraging Two Decades of National Academies Work

Computer Science and Telecommunications Board

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

THE NATIONAL ACADEMIES PRESS 500 Fifth Street, NW Washington, DC 20001

NOTICE: The project that is the subject of this report was approved by the Gov-
erning Board of the National Research Council, whose members are drawn from
the councils of the National Academy of Sciences, the National Academy of Engi-
neering, and the Institute of Medicine. The members of the committee responsible
for the report were chosen for their special competences and with regard for
appropriate balance.

Support for this project was provided by the National Science Foundation under
Award Number CNS-0940372. Additional support was provided by Microsoft Cor-
poration, Google, Inc., and the President’s Committee of the National Academies.

-
cies that provided support for the project.

International Standard Book Number 13: 978-0-309-30318-7

International Standard Book Number 10: 0-309-30318-4
Library of Congress Control Number: 2014940211

This report is available from

Computer Science and Telecommunications Board

National Research Council
500 Fifth Street, NW
Washington, DC 20001

Additional copies of this report are available from the National Academies Press,
500 Fifth Street, NW, Keck 360, Washington, DC 20001; (800) 624-6242 or (202)
334-3313; http://www.nap.edu.

Copyright 2014 by the National Academy of Sciences. All rights reserved.

Printed in the United States of America

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

The National Academy of Sciences

dedicated to the furtherance of science and technology and to their use for the
general welfare. Upon the authority of the charter granted to it by the Congress
in 1863, the Academy has a mandate that requires it to advise the federal govern-

National Academy of Sciences.

The National Academy of Engineering was established in 1964, under the char-
-
ing engineers. It is autonomous in its administration and in the selection of its
members, sharing with the National Academy of Sciences the responsibility for
advising the federal government. The National Academy of Engineering also
sponsors engineering programs aimed at meeting national needs, encourages

The Institute of Medicine was established in 1970 by the National Academy of

Sciences to secure the services of eminent members of appropriate professions

Institute acts under the responsibility given to the National Academy of Sciences
by its congressional charter to be an adviser to the federal government and, upon
its own initiative, to identify issues of medical care, research, and education.
Dr. Harvey V. Fineberg is president of the Institute of Medicine.

The National Research Council

Sciences in 1916 to associate the broad community of science and technology
with the Academy’s purposes of furthering knowledge and advising the federal
government. Functioning in accordance with general policies determined by the
Academy, the Council has become the principal operating agency of both the
National Academy of Sciences and the National Academy of Engineering in pro-

communities. The Council is administered jointly by both Academies and the

vice chair, respectively, of the National Research Council.

www.national-academies.org

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

COMMITTEE ON DEVELOPING A CYBERSECURITY PRIMER:

LEVERAGING TWO DECADES OF
NATIONAL ACADEMIES WORK

DAVID CLARK, Massachusetts Institute of Technology, Chair

THOMAS BERSON, Anagram Laboratories
1 Georgetown University

Staff
HERBERT S. LIN, Study Director and Chief Scientist, Computer Science
and Telecommunications Board
ERIC WHITAKER, Senior Program Assistant, Computer Science and
Telecommunications Board

1 Ms. Blumenthal resigned from the committee on May 1, 2013, and accepted a position

iv

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

COMPUTER SCIENCE AND TELECOMMUNICATIONS BOARD

ROBERT F. SPROULL, University of Massachusetts, Amherst, Chair

LUIZ ANDRÉ BARROSO, Google, Inc.
STEVEN M. BELLOVIN, Columbia University
ROBERT F. BRAMMER, Brammer Technology, LLC
EDWARD FRANK, Apple, Inc.

LAURA M. HAAS, IBM Alamaden Research Laboratory

MARK A. HOROWITZ, Stanford University
MICHAEL KEARNS, University of Pennsylvania
ROBERT KRAUT, Carnegie Mellon University
SUSAN LANDAU, Google, Inc.
PETER LEE, Microsoft Corporation
DAVID E. LIDDLE, US Venture Partners
BARBARA LISKOV, Massachusetts Institute of Technology

PETER SZOLOVITS, Massachusetts Institute of Technology

RENEE HAWKINS, Financial and Administrative Manager

HERBERT S. LIN, Chief Scientist
ERIC WHITAKER, Senior Program Assistant

For more information on CSTB, see its Web site at http://www.cstb.org,

write to CSTB, National Research Council, 500 Fifth Street, NW, Washing-
ton, DC 20001, call (202) 334-2605, or e-mail the CSTB at cstb@nas.edu.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

Preface

Today, cybersecurity is widely viewed as a matter of pressing national

importance. Many elements of cyberspace are notoriously vulnerable to
-

sector companies both large and small suffer from cyber thefts of sensitive
information, cyber vandalism (e.g., defacing of Web sites), and denial-of-
service attacks. The nation’s critical infrastructure, including the electric
-

operation.
Concerns about the vulnerability of the information technology on
which the nation relies have deepened in the security-conscious envi-
ronment after the September 11, 2001, attacks and in light of increased
cyber espionage directed at private companies and government agencies
in the United States. National policy makers have become increasingly
concerned that adversaries backed by considerable resources will attempt

have been advanced, and a number of bills have been introduced in Con-
gress to tackle parts of the cybersecurity challenge.
Although the larger public discourse sometimes treats the topic of
cybersecurity as a new one, the Computer Science and Telecommunica-

vii

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

viii PREFACE

cybersecurity as a major challenge for public policy.1 CSTB work in cyber-

-
tion on practical measures, technical and nontechnical challenges, and
potential policy responses. Produced by the Committee on Developing a
Cybersecurity Primer: Leveraging Two Decades of National Academies
-
oped in this body of work to provide a concise primer on the fundamen-

the report also addresses issues not covered in earlier CSTB work, and
the committee acknowledges with gratitude input from William Press

Savage (University of California, San Diego), and William Sanders (Uni-

versity of Illinois at Urbana-Champaign) on a variety of cybersecurity-
related topics in the course of its work.
As a primer, this report presents fundamental concepts and principles

change rapidly, but the fundamental concepts and principles endure, or

at least they change much more slowly. These concepts and principles are

incidents, although they manifest themselves in a wide variety of different

technologies and incidents.
The report’s emphasis on fundamental concepts and principles also
means that in the interest of brevity, coverage in this primer cannot be

-
tial resource.

1 The Web page at http://sites.nationalacademies.org/CSTB/CSTB_059144 lists all CSTB

reports related to cybersecurity.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

PREFACE ix

BOX P.1 Selected Computer Science and Telecommunications

Board Work on Cybersecurity—A Brief Summary of Highlights

The 1991 CSTB report Computers at Risk warned that “as computer systems
become more prevalent, sophisticated, embedded in physical processes, and
interconnected, society becomes more vulnerable to poor system design . . . and
attacks on computer systems” and that “the nature and magnitude of computer
system problems are changing dramatically” (p. 1). It also lamented that “known
techniques are not being used” to increase security.
In 1999, CSTB released Trust in Cyberspace, which proposed a research
agenda to increase the trustworthiness of information technology (IT), with a spe-
cial focus on networked information systems. This report went beyond security
matters alone, addressing as well other dimensions of trustworthiness such as
correctness, reliability, safety, and survivability. Importantly, it also noted that “eco-
nomic and political context is critical to the successful development and deploy-
ment of new technologies” (p. viii).
In 2002, CSTB issued Cybersecurity Today and Tomorrow: Pay Now or Pay
Later, which reprised recommendations from a decade of CSTB cybersecurity
studies. Its preface noted that “it is a sad commentary on the state of the world
that what CSTB wrote more than 10 years ago is still timely and relevant. For those
who work in computer security, there is a deep frustration that research and recom-
mendations do not seem to translate easily into deployment and utilization” (p. v).
CSTB’s 2007 report Toward a Safer and More Secure Cyberspace observed
that “there is an inadequate understanding of what makes IT systems vulnerable
to attack, how best to reduce these vulnerabilities, and how to transfer cybersecu-
rity knowledge to actual practice” (p. vii). It set forth an updated research agenda,
sought to inspire the nation to strive for a safer and more secure cyberspace, and
focused “substantial attention on the very real challenges of incentives, usability,
and embedding advances in cybersecurity into real-world products, practices, and
services” (p. xii).
In 2009, CSTB turned its attention to the technical and policy dimensions
of cyberattack—the offensive side of cybersecurity. Technology, Policy, Law, and
Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities concluded
that although cyberattack capabilities are an important asset for the United States,
the current policy and legal framework for their use is ill-formed, undeveloped,
and highly uncertain and that U.S. policy should be informed by an open and
public national debate on technological, policy, legal, and ethical issues posed by
cyberattack capabilities.
In 2010, the CSTB report Toward Better Usability, Security, and Privacy of
Information Technology: Report of a Workshop identified research opportunities
and ways to embed usability considerations in design and development related to
security and privacy. In that year, CSTB also produced a second workshop report,
Proceedings of a Workshop on Deterring Cyberattacks: Informing Strategies and
Developing Options, a collection of papers that examined governmental, economic,
technical, legal, and psychological challenges involved in deterring cyberattacks.

NOTE: All of these reports were published by the National Academies Press, Washington, D.C.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

x PREFACE

BOX P.2 The Project Statement of Task

A primer on the technical and policy issues of cybersecurity, building on more

than two decades of prior Academies work, will be developed under the auspices
of a small study committee. The report will examine what is known about effective
technical and nontechnical approaches, the state of the art and open challenges,
why relatively little progress has been made in cybersecurity despite the recom-
mendations of many reports from the Academies and elsewhere, and potential
policy responses. Much of the material will be drawn directly from previous reports.
The committee will also review emerging issues and new technical and nontechni-
cal approaches that may not have been covered in previous National Research
Council reports.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

Acknowledgment of Reviewers

This report has been reviewed in draft form by individuals chosen

procedures approved by the National Research Council’s Report Review

Committee. The purpose of this independent review is to provide candid
and critical comments that will assist the institution in making its pub-
lished report as sound as possible and to ensure that the report meets
institutional standards for objectivity, evidence, and responsiveness to
the study charge. The review comments and draft manuscript remain

to thank the following individuals for their review of this report:

Steven Bellovin, Columbia University,

RuthAnne Bevier, California Institute of Technology,

Butler Lampson, Microsoft Corporation, and

Steven Wallach, Convey Computer Corporation.

Although the reviewers listed above have provided many construc-

tive comments and suggestions, they were not asked to endorse the con-

The review of this report was overseen by Sam Fuller (Analog Devices).
Appointed by the National Research Council, he was responsible for mak-

xi

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

xii ACKNOWLEDGMENT OF REVIEWERS

out in accordance with institutional procedures and that all review com-

this report rests entirely with the authoring committee and the institution.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

Contents

1.1 On the Meaning and Importance of Cyberspace and

Cybersecurity, 7
1.2 Cybersecurity and Public Policy Concerns, 10

2 SOME BASICS OF COMPUTING AND COMMUNICATIONS 18

2.1 Computing Technology, 18

2.2 Communications Technology and the Internet, 21
2.3 Information Technology Systems, 27

3.1 On the Terminology for Discussions of Cybersecurity and

Public Policy, 29
3.2 What It Means to Be an Adversary in Cyberspace, 31

3.2.2 Cyberattack, 32

Attack, 35
3.3 Inherent Vulnerabilities of Information Technology, 35

xiii

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

xiv CONTENTS

3.4 The Anatomy of Adversarial Activities in Cyberspace, 40

3.4.1 Cyber Penetration, 41
3.4.2 Cyber Payloads (Malware), 46
3.4.3 Operational Considerations, 48

3.6 Threat Assessment, 52

4.1 Approaches to Improving Security, 53

4.1.1 Reducing Reliance on Information Technology, 53
4.1.2 Knowing That Security Has Been Penetrated, 54
4.1.3 Defending a System or Network, 57
4.1.4 Ensuring Accountability, 62
4.1.5 Building a Capacity for Containment, Recovery, and
Resilience, 69
4.1.6 Employing Active Defense, 71
4.2 Nontechnological Dimensions of Cybersecurity, 75
4.2.1 Economics, 76
4.2.2 Psychology, 77
4.2.3 Law, 81

4.2.5 Deterrence, 86
4.3 Assessing Cybersecurity, 88
4.4 On the Need for Research, 90

5.1 Economics, 93
5.1.1 Economic Approaches to Enhancing
Cybersecurity, 93
5.1.2 Economic Impact of Compromises in
Cybersecurity, 96
5.2 Innovation, 98
5.3 Civil Liberties, 100
5.3.1 Privacy, 100

5.3.3 Due Process, 102

5.4 International Relations and National Security, 103
5.4.1 Internet Governance, 103
5.4.2 Reconciling Tensions Between Cybersecurity and
Surveillance, 104
5.4.3 Norms of Behavior in Cyberspace, 106

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

CONTENTS xv

5.4.4 Managing the Global Supply Chain for Information

Technology, 111
5.4.5 Role of Offensive Operations in Cyberspace, 113

6 FINDINGS AND CONCLUSION 116

6.1 Findings, 116
6.2 Conclusion, 124

APPENDIXES

A Committee Members and Staff 129

B Bibliography 132

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

Summary

Nations are increasingly dependent on information and information

technology. Companies rely on computers for diverse business processes
ranging from payroll and accounting to the tracking of inventory and
sales, to support for research and development. Distribution of food,
water, and energy is dependent on computers and networks at every

Modern military forces use weapons that are computer controlled. Even
more important, the movements and actions of military forces are increas-
ingly coordinated through computer-based networks that allow informa-

In light of this dependence on information technology, cybersecurity

is increasingly important to the nation, and cyberspace is vulnerable
to a broad spectrum of hackers, criminals, terrorists, and state actors.
Working in cyberspace, these malevolent actors can steal money, intellec-

impersonate law-abiding parties for their own purposes; harass or bully

innocent people anonymously; damage important data; destroy or disrupt
the operation of physical machinery controlled by computers; or deny the
availability of normally accessible services.
A number of factors, such as the September 11, 2001, attacks and
higher levels of cyber espionage directed at private companies and gov-
ernment agencies in the United States, have deepened concerns about
the vulnerability of the information technology (IT) on which the nation

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

2 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

substantial harm on the nation. Numerous policy proposals have been

advanced, and a number of bills have been introduced in Congress to
tackle parts of the cybersecurity challenge.
It is to help decision makers and the interested public make informed
choices that this report was assembled. The report is fundamentally a

leverages insights developed in work by the National Research Council’s

Computer Science and Telecommunications Board over more than two
decades on practical measures for cybersecurity, technical and nontechni-
cal challenges, and potential policy responses.

dependent on computing and communications technology; the informa-

tion that these artifacts use, store, handle, or process; and how these vari-
ous elements are connected. Security in cyberspace (i.e., cybersecurity) is
about technologies, processes, and policies that help to prevent and/or
reduce the negative impact of events in cyberspace that can happen as the
result of deliberate actions against information technology by a hostile or
malevolent actor.
Cybersecurity issues arise because of three factors taken together—
the presence of malevolent actors in cyberspace, societal reliance on IT for
many important functions, and the inevitable presence of vulnerabilities
in IT systems that malevolent actors can take advantage of. Despite these

they are supposed to do and only when they are supposed to do it, and

is the purpose of cybersecurity.

Against this backdrop, it appears that cybersecurity is a never-end-
ing battle, and a permanently decisive solution to the problem will
not be found in the foreseeable future.1 Cybersecurity problems result
-
ing judgments about what actions and information are safe or unsafe
from a cybersecurity perspective. Furthermore, threats to cybersecurity
evolve, and adversaries—especially at the high-end part of the threat
spectrum—constantly adopt new tools and techniques to compromise
security when defenses are erected to frustrate them. As information tech-
nology becomes more ubiquitously integrated into society, the incentives
to compromise the security of deployed IT systems grow. Thus, enhancing

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

SUMMARY 3

in which it is embedded—must be understood as an ongoing process

rather than something that can be done once and then forgotten.
Ultimately, the relevant policy question is not how the cybersecurity
problem can be solved, but rather how it can be made manageable. Soci-

drug abuse, and so on are rarely “solved” or taken off the policy agenda
-

so decisively that they will never reappear—and the same is true for
cybersecurity.
At the same time, improvements to the cybersecurity posture of
-
able value in reducing the loss and damage that may be associated with
cybersecurity breaches. A well-defended target is less attractive to many
malevolent actors than are poorly defended targets. In addition, defensive

thus making intrusion attempts slower and more costly and possibly
helping to deter future intrusions.
Improvements to cybersecurity call for two distinct kinds of activ-
ity: efforts to more effectively and more widely use what is known
about improving cybersecurity, and efforts to develop new knowledge
about cybersecurity. The gap in security between the U.S. national cyber-

gap is the difference between what our cybersecurity posture is and what
it could be if known best cybersecurity practices and technologies were
widely deployed and used. The second part (Part 2) is the gap between
the strongest posture possible with known practices and technologies
-
technical in nature (requiring, e.g., research relating to economic or psy-
chological factors regarding the use of known practices and techniques,
enhanced educational efforts to promote security-responsible user behav-

security awareness). Closing the Part 1 gap does not require new technical

technical knowledge. Research will be needed to understand how better

to promote deployment and use of such knowledge. Closing the Part 2
gap is where new technologies and approaches are needed, and is the
fundamental rationale for technical research in cybersecurity.
Publicly available information and policy actions to date have been

For
a number of years, the cybersecurity issue has received increasing public
attention, and a greater amount of authoritative information regarding

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

4 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

cybersecurity threats is available publicly. But all too many decision mak-
-
tional cybersecurity postures, and little has been done to harness market
forces to address matters related to the cybersecurity posture of the nation
as a whole. If the nation’s cybersecurity posture is to be improved to a
level that is higher than the level to which today’s market will drive it, the
-
curity must be altered in some fashion.
Cybersecurity is important to the nation, but the United States
-
tives of cybersecurity. Tradeoffs are inevitable and will have to be
accepted through the nation’s political and policy-making processes.
Senior policy makers have many issues on their agenda, and they must set
priorities for the issues that warrant their attention. In an environment of
many competing priorities, reactive policy making is often the outcome.
Support for efforts to prevent a disaster that has not yet occurred is typi-
cally less than support for efforts to respond to a disaster that has already

or few attempts have yet been made to compromise the cybersecurity of

application X -
tifying why immediate attention and action to improve the cybersecurity
posture of application X can be deferred or studied further.
Progress in cybersecurity policy has also stalled at least in part

yes, but we also want a private sector that innovates rapidly, and the con-
venience of not having to worry about cybersecurity, and the ability for
applications to interoperate easily and quickly with one another, and the
right to no diminution in our civil liberties, and so on. Although research
and deeper thought may reveal that, in some cases, tradeoffs between
security and these other equities are not as stark as they might appear at

when they are irreconcilable, and honest acknowledgment and discus-

sion of the tradeoffs (e.g., a better cybersecurity posture may reduce the
nation’s innovative capability, may increase the inconvenience of using
information technology, may reduce the ability to collect intelligence) will
go a long way toward building public support for a given policy position.
The use of offensive operations in cyberspace as an instrument
to advance U.S. interests raises many important technical, legal, and
-
ernment. Some of these questions involve topics such as U.S. offensive
capabilities in cyberspace, rules of engagement, doctrine for the use of
-
ment of Defense and the intelligence community, and a host of other

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

SUMMARY 5

topics related to offensive operations. It is likely that behind the veil of

opacity has many undesirable consequences, but one of the most impor-
tant consequences is that the role offensive capabilities could play in
defending important information technology assets of the United States
cannot be discussed fully.
What is sensitive about offensive U.S. capabilities in cyberspace is

(rather than the nature of that technology itself); fragile and sensitive

-
ticular vulnerability, a particular operational program); or U.S. knowledge

-
vides a generally reasonable basis for understanding what can be done
and for policy discussions that focus primarily on what should be done.

but not limited to computer science and information technology, psychol-

sociology, decision sciences, international relations, and law. Although

technical measures are an important element, cybersecurity is not primar-
ily a technical matter, although it is easy for policy analysts and others
to get lost in the technical details. Furthermore, what is known about
cybersecurity is often compartmented along disciplinary lines, reducing

will never be solved once and for all. Solutions to the problem, limited in
scope and longevity though they may be, are at least as much nontechni-
cal as technical in nature.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

1.1 ON THE MEANING AND IMPORTANCE OF

CYBERSPACE AND CYBERSECURITY
Most people in modern society encounter computing and communi-

-
puters are not openly visible. People type at the keyboard of computers or
tablets and use their smart phones daily. People’s personal lives involve
computing through social networking, home management, communica-
tion with family and friends, and management of personal affairs. The
operation of medical devices implanted in human bodies is controlled by
embedded (built-in) microprocessors.
A much larger collection of information technology (IT) is instru-

government. Companies large and small rely on computers for diverse

business processes ranging from payroll and accounting to the tracking
of inventory and sales, to support for research and development (R&D).
The distribution of food and energy from producer to retail consumer
depends on computers and networks at every stage. Nearly everyone
(in everyday society, business, government, and the military services)
relies on wireless and wired digital communications systems. IT is used

care, utilities, transportation, and retail and management services. Indeed,

the architecture of today’s enterprise IT systems is the very embodiment

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

8 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

“traditional” industries such as manufacturing without IT.

Today and increasingly in the future, computing and communications
technologies (collectively, information technologies) are found and will
be more likely to be found in places where they are essentially invisible
to everyday view: in cars, wallets, clothing, refrigerators, keys, cabinets,
watches, doorbells, medicine bottles, walls, paint, structural beams, roads,
-
ing some embedded in human beings). These devices will be connected—
the so-called Internet of Things. Computing will be embedded in myriad
places and objects; even today, computing devices are easily transported
in pockets or on wrists. Computing devices will be coupled to multiple
sensors and actuators. Computing and communications will be seamless,
enabling the tight integration of personal, family, and business systems.
Sensors, effectors, and computing will be networked together so that they
pass relevant information to one another automatically.
In this emerging era of truly pervasive computing, the ubiquitous
integration of computing and communications technologies into com-
mon everyday objects enhances their usefulness and makes life easier
-
ances will make appropriate information available on demand, enabling
users to be more productive in both their personal and their professional
lives. And, as has been true with previous generations of IT, interconnec-
tions among all of these now-smart objects and appliances will multiply
their usefulness many times over.

“cyberspace” often arises. Although “cyberspace” does not have a single

1 some things can be said about how the term

is used in this report. First, cyberspace is not a physical place, although

many elements of cyberspace are indeed physical, do have volume and

three spatial dimensions. Second, cyberspace includes but is not limited

to the Internet—cyberspace also includes computers (some of which are
attached to the Internet and some not) and networks (some of which may
be part of the Internet and some not). Third, cyberspace includes many
intangibles, such as information and software and how different elements
of cyberspace are connected to each other.

https://blogs.cisco.com/security/cyberspace-what-is-it/.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

WHY CARE ABOUT CYBERSECURITY? 9

based on or dependent on computing and communications technology;

the information that these artifacts use, store, handle, or process; and the
interconnections among these various elements. But the reader should

precise one.
Given our dependence on cyberspace, we want and need our infor-
mation technologies to do what they are supposed to do and only when
they are supposed to do it. We also want these technologies to not do
things they are not supposed to do. And we want these things to be true
in the face of deliberately hostile or antisocial actions.
Cybersecurity issues arise because of three factors taken together.
First, we live in a world in which there are parties that will act in deliber-
ately hostile or antisocial ways—parties that would do us harm or sepa-
rate us from our money or violate our privacy or steal our ideas. Second,
we rely on IT for a large and growing number of societal functions. Third,
IT systems, no matter how well constructed (and many are not as well
constructed as the state of the art would allow), inevitably have vulner-
abilities that the bad guys can take advantage of.

Security in cyberspace (i.e., cybersecurity) is about technologies, processes, and

policies that help to prevent and/or reduce the negative impact of events in
cyberspace that can happen as the result of deliberate actions against information
technology by a hostile or malevolent actor.
-
essary to elaborate on the meaning of “impact,” on what makes impact
“negative,” and on what makes an actor “hostile” or “malevolent.”

information artifact (software or hardware) has impact—Chapter 3 dis-

cusses different kinds of impact that are related to cybersecurity. But any
given impact can be positive or negative and any actor can be virtuous or
malevolent, depending on the perspective of the parties involved—that
is, who is a perpetrator and who is a target.
In many cases with which readers of this report are likely to be
concerned, the meanings of these terms are both reasonably clear and

an impact negative is that their information technology no longer works

are relying on such technologies and it is the U.S. government that takes
actions to render their technologies inoperative, the impact would usually
be seen as positive.
Similarly, many repressive regimes put into place various mecha-
nisms in cyberspace to monitor communications of dissidents. These

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

10 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

regimes may regard as “malevolent actors” those who help dissidents

breach the security of these mechanisms and circumvent government
monitoring, but others may well regard such parties as virtuous rather
than malevolent actors. Compromising the cybersecurity of an Internet-
based mechanism for conducting surveillance against such parties has
a negative impact from the standpoint of these regimes, but a positive
impact for those seeking to open up these regimes.
There are also cases of concern to readers of this report in which the
meanings of “negative” and “malevolent” may not be shared. Consider
the debate over Internet surveillance by the National Security Agency

2013. According to news stories on these documents in the Washington

Post and the Guardian, the NSA has engaged in a broad program of elec-
tronic surveillance for counterterrorism purposes.2 Some of the reactions

defended the actions of the NSA as a vital element in U.S. counterterror-

ism efforts.

Indeed, one of the most important lessons to emerge from cybersecurity

factors can have an impact on cybersecurity that is at least as great as

technology’s impact. A full consideration of cybersecurity necessarily
-

1.2 CYBERSECURITY AND PUBLIC POLICY CONCERNS

wrote in Computers at Risk:

We are at risk. Increasingly, America depends on computers. They control

are used to store vital information, from medical records to business

plans to criminal records. Although we trust them, they are vulnerable—

and perhaps most alarmingly, to deliberate attack. The modern thief can

Learned from Edward Snowden in 2013,” National Journal, December 31, 2013, available at
http://www.nationaljournal.com/defense/everything-we-learned-from-edward-snowden-
in-2013-20131231.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

WHY CARE ABOUT CYBERSECURITY? 11

steal more with a computer than with a gun. Tomorrow’s terrorist may
be able to do more damage with a keyboard than with a bomb. (p. 7)

What is worrisome from a public policy perspective is that the words

-
-
cance has grown as our reliance on IT has increased. Table 1.1 illustrates
some of the security consequences of the changes in the information
technology environment in the past 20 years.
The IT on which we rely is for the most part created, owned, and
operated by the private sector, which means that improving the cyberse-
curity posture of the nation will require action by relevant elements of the
private sector. Nonetheless, many parties believe that the government has
an important role in helping to address cybersecurity problems, in much
the same way that the government has many responsibilities for national
security, law enforcement, and other problems of societal scale.

TABLE 1.1 Potential Security Consequences of More Than Two

Decades’ Worth of Change in Information Technology (IT)
Potential Security Consequence
Change Since 1990 (illustrative, not comprehensive)
Microprocessors, storage devices, More integration of IT into the
communications links, and so on—the raw functions of daily life means more
hardware underlying IT—demonstrate opportunities for malevolent actors to
performance that is several orders of compromise those functions.
magnitude more capable than their
counterparts of 20 years ago.
Devices for computing have shifted New security approaches are needed
to secure battery-operated devices
mobile computing: tablets, pads, smart with relatively little computational
phones, smart watches, and so on. Desktop power.
and laptop computers are still important
to many end users, especially in business App stores can provide greater
environments, but mobile devices are assurance about the security of
ubiquitous today. Accompanying this installed software.
change are new business models for
providing software to end users—vendor-
controlled or vendor-operated app control over computing resources
stores are now common. Many corporate used on their behalf.
employees use their personally owned
computing devices for business purposes.

continued

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

12 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

TABLE 1.1 Continued

Potential Security Consequence
Change Since 1990 (illustrative, not comprehensive)
Cyberphysical systems are physical IT-based control of cyberphysical
systems that are controlled at least in part systems means that cybersecurity
by IT. Physical devices with embedded compromises can affect physical
computing accept data from the physical systems and may cause death,
world (through sensors such as cameras destruction, or physical damage.
or thermometers) and/or cause changes
in the physical world (through actuators
such as a motor that causes something to
move or a heater that heats a fluid). Such
systems are everywhere—in manufacturing
assembly lines, chemical production
plants, power generation and transmission
facilities, automobiles, airplanes, buildings,
heating and cooling facilities, and so on—

operation of these systems.

Cloud computing has become increasingly Concentration of computing resourc-
popular as a way for businesses (and es for many parties potentially offers
individuals) to increase the efficiency a “big fat target” for malevolent ac-
tors. Cloud computing infrastructure
management and IT infrastructure, cloud may also provide malevolent actors a
computing promises to reduce the cost of platform from which to launch their
computing and increase its accessibility to -
a geographically dispersed user base. ever, enables providers of computing

-
able administrators.
The number of Internet users has grown
by at least two orders of magnitude in the untutored in the need for security
past two decades, and hundreds of millions and are thus more vulnerable.
of new users (perhaps as many as a billion)
will begin to use the Internet as large parts A larger user base means a larger
of Africa, South America, and Asia come number of potentially malevolent
actors.
devices will become increasingly connected
to the Internet of Things, on the theory that
network connections between these devices
will enable them to operate more efficiently
and effectively.
The rise of social networking and Connectivity among friends and
contacts offers opportunities for
such as Facebook and Twitter, is based on malevolent actors to improperly
the ability of IT to bring large numbers of take advantage of trust
people into contact with one another. relationships.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

WHY CARE ABOUT CYBERSECURITY? 13

Public policy concerns about the effects of inadequate cybersecurity

are often lumped into a number of categories:

Cybercrime
the Internet and IT to steal valuable assets (e.g., money) from their rightful
owners or otherwise to take actions that would be regarded as criminal
if these actions were taken in person, and a breach of security is usually
an important element of the crime. Criminal activity using cyber means
includes cyber fraud and theft of services (e.g., stealing credit card num-
bers); cyber harassment and bullying (e.g., taking advantage of online
anonymity to threaten a victim); cyber vandalism (e.g., defacing a Web
site); penetration or circumvention of cybersecurity mechanisms intended
to protect the privacy of communications or stored information (e.g.,

identity theft (e.g., stealing login names and passwords to forge e-mail
or to improperly manipulate bank accounts). Loss of privacy and theft
of intellectual property are also crimes (at least sometimes) but generally
occupy their own categories of concern. Note also that in addition to the
-
curity consume resources (e.g., money, talent) that could be better used to
build improved products or services or to create new knowledge. And, in
some cases, concerns about cybersecurity have been known to inhibit the
use of IT for some particular application, thus leading to self-denial of the

Loss of privacy. Losses of privacy can result from the actions of oth-
ers or of the individual concerned. Large-scale data breaches occur from
time to time, for reasons including loss of laptops containing sensitive
data and system penetrations by sophisticated intruders. Intruders have
used the sound and video capabilities of home computers for blackmail

based social networks without understanding the privacy implications of

doing so, and are later surprised when such information is accessible to
-
als are concerned about the privacy of their data and communications,
and a variety of U.S. laws guard against improper disclosure of such
information.
Activism
to promote, block, or protest social or political change. Compromises
in cybersecurity have been used in some activist efforts in cyberspace,
wherein activists may compromise the cybersecurity of an installation in
an effort to make a political statement or to call attention to a cause, for

release or by defacing a public-facing Web site. Activism may also be an

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

14 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

sites belonging to adversaries of Nation A.

Misappropriation of intellectual property such as proprietary software,
R&D work, blueprints, trade secrets, and other product information. Con-
cern over theft of intellectual property is especially pronounced when

goods and services vital to national security. Although misappropriation

of trade secrets is prohibited under international trade law, many coun-
tries in the world conduct activities aimed at collecting information that
might be economically useful to their domestic companies.3 Private com-
panies also have incentives to undertake these latter activities, although
in many cases some of such activity is forbidden by domestic laws.
Espionage. Espionage refers to one nation’s attempts to gather intel-
ligence on other nations, where intelligence information includes informa-
tion related to national security and foreign affairs. Cyber espionage refers
to national-level entities conducting espionage activities using cyber
means to obtain important intelligence information relevant to national
-
lection of intelligence information about another nation is not prohibited
under international law.
Denials (or disruption) of service. When services are not available
when needed, the elements of society that rely on those services are
inconvenienced and may be harmed. Denials of service per se do not
necessarily entail actual damage to the facilities providing service. For
-
ing it impossible to place one, but as soon as the attacker stops, it again
becomes possible to make a call. Denial of services is described further in
Chapter 3.
Destruction of or damage to physical property. Such concerns fall into
three general categories:
— Individual cyberphysical systems, such as automobiles, airliners,
and medical devices. Increasingly, computers control the opera-
tion of such systems, and communications links, either wired or
wireless, connect them to other computational devices. Thus, a
malevolent actor might be able to improperly assume control of
individual cyberphysical systems or to obtain information (e.g.,
medical information) that should be private.
— Critical infrastructure, which includes multiple facilities for
electric power generation and transmission, telecommunications,

storage, and water supply. Although failures in individual facilities

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

WHY CARE ABOUT CYBERSECURITY? 15

-
sive loss of life, long-lasting disruption of the services that these

loss. Policy makers have become increasingly concerned about

cyber threats to critical infrastructure emanating from both nations
and terrorist groups.
— . Modern economies depend in large measure

everyday activities. Under some circumstances, it is possible that

even symbols of the nation, such as important monuments) could

considered to have some catastrophic potential as well.

As far as is known publicly, actual destruction of or damage to physi-
cal property to date has been a relatively rare occurrence, although there
have been many incidents in the other categories outlined above.
Threats to national security and cyber war. U.S. armed forces depend
heavily on IT for virtually every aspect of their capabilities—weapons sys-
tems; systems for command, control, communications, and intelligence;
systems for managing logistics; and systems for administration. Given
that dependence, potential adversaries are developing ways to threaten
the IT underlying U.S. military power.4 In addition, other nations are
also using IT in the same ways that the United States is using it, for both
military and civilian purposes, suggesting that the United States could
itself seek opportunities to advance its national interests by going on the
offensive in cyberspace.

Concerns about the areas described above have made cybersecurity a

hot topic that has garnered substantial public and government attention.
In international circles too, such as the United Nations and NATO, as well
as in bilateral relationships with parties such as China and the European
Union, cybersecurity is moving higher on the agenda.
But as important as cybersecurity is to the nation, progress in public
policy to improve the nation’s cybersecurity posture has not been as rapid

policy issues—and measures taken to improve cybersecurity potentially

4 Department of Defense Strategy for Operating

in Cyberspace

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

16 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

have negative effects in these other areas. Some of the most important

Economics. The costs of action to improve cybersecurity beyond an

necessary, and the costs of inaction are not borne by the relevant decision
makers. Decision makers discount future possibilities so much that they
do not see the need for present-day action. Also, cybersecurity is increas-
ingly regarded as a part of risk management—an important part in many

debates as well—with all of the competing demands for a share of govern-

ment budgets and attention from senior policy makers, policy progress in
cybersecurity has been slower than many have desired.
Innovation. The private sector is constantly trying to bring forward
new applications and technologies that improve on old ways of perform-
ing certain functions and offer useful new functions. But attention to
security can slow bringing new products and services to market, with the
result that new technologies and applications are often offered for general

question is how to manage the tradeoff between the pace of innovation

and a more robust security posture.
Civil liberties. Some measures proposed to improve cybersecurity
for the nation potentially infringe on civil liberties, such as privacy, ano-
nymity, due process, freedom of association, free speech, and due process.
Advocates of such measures either argue that their favored measures do
not infringe on civil liberties, or assert that the infringements are small

because changes in information technology have gone beyond the tech-

Smith vs. Maryland) held that

metadata on phone calls (i.e., the phone numbers involved and the dura-
tion and time of the call) was less worthy of privacy protection than was
“content” information, that is, what the parties to a phone call actually say
to each other. But the concept of metadata has come to mean “data asso-
ciated with a communication that is not communications content,” and
given the way modern electronic communications operate, the relevance
of the 1979 precedent has been challenged as many analysts assert that
metadata is more revealing than content information.5

IEEE Security and Privacy

February):62-64, 2014, available at http://doi.ieeecomputersociety.org/10.1109/

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

WHY CARE ABOUT CYBERSECURITY? 17

International relations and national security. Because of the world-

wide Internet and a global supply chain in which important elements of
information technology are created, manufactured, and sold around the
world, cyberspace does not have physical national borders. But the world

physical artifact of information technology is located somewhere. Conse-

with other nations—that is, in their international relations.

1.3 ORGANIZATION OF THIS REPORT

Chapter 2 presents some fundamental concepts in information tech-
nology that are necessary for understanding cybersecurity. Chapter 3

what it means to compromise cybersecurity. Chapter 4 describes a variety

of methods for strengthening and enhancing cybersecurity. Chapter 5 is
devoted to a further discussion of key public policy issues relating to

of course. Large-scale analysis of phone metadata reveals patterns of communication—

the identities of communicating parties, and when and with what frequency such
communications occur. For some people in some situations, a map of their communications
patterns is more privacy-sensitive than what they are saying in their conversations or even in
any one conversation; in other situations for other people, their patterns of communication
are less sensitive.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

Some Basics of Computing and

Communications Technology and

2.1 COMPUTING TECHNOLOGY

The computers at the heart of information technology are gener-
ally stored-program computers. A program is the way an algorithm is
represented in a form understandable by a computer. An algorithm is a
particular method devised to solve a particular problem (or class of prob-
lems). Computers do what the program tells them to do given particular

that is, how to program it.

A program is implemented as a sequence of instructions to the com-
puter; each instruction directs the computer to take some action, such as
adding two numbers or activating a device connected to it. Instructions
are stored in the memory of the computer, as are the data on which these
instructions operate.
A particularly important instruction is conditional. Let’s call X a state-
ment about some particular data that is either true or false. Then if X is
true, the computer does something (call it A); if X is not true, the computer
does something else (call it B). In this way, the sequence of instructions

the data provided to the computer. Furthermore, the number of possible

of decisions: a program with only 10 “yes” or “no” decisions can have

more than 1000 possible paths, and one with 20 such decisions can have
more than 1 million.

18

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

SOME BASICS OF COMPUTING AND COMMUNICATIONS TECHNOLOGY 19

A second key point about computing is that information processed

by computers and communication systems is represented as sequences
of bits (i.e., binary digits). Such a representation is a uniform way for
computers and communication systems to store and transmit all infor-

source per se simply by creating the bits and then can be used to produce
everything from photo-realistic images to an animation to forged e-mail.
Digital encoding can represent many kinds of information with which

As bit sequences, information can be found in two forms—information

card; and information in transit through a cable or over a wireless link

from one location to another.
Why do these aspects of computing technology matter for security

depending on the data means that the programmer must anticipate what
the program should do for all possible data inputs. This mental task is of

to properly anticipate some particular set of data (e.g., the program pro-
cesses only numeric input, and fails to account for the possibility that a
user might input a letter).
A further consequence is that for programs of any meaningful utility,
testing for all possible outcomes is essentially impossible when treating

inputs. This means that although it may be possible to show that the pro-
gram does what it is supposed to do when presented with certain inputs,
it is impossible to show that it will never do what it is not supposed to do

upon receiving that particular sequence, the program can (deliberately)

The digital representation of information has a number of important

as sequences of bits means that there is no inherent association between

originator—that is, information is inherently anonymous. A programmer

additional data can, in principle, be separated from the information of

interest. This point matters in situations in which knowing the association
between information and its originator is relevant to security, as might be
the case if a law enforcement agency were trying to track down a cyber
criminal.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

20 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

The fact that a given sequence of bits could just as easily be a program
as data means that a computer that receives information assuming it to be
data could in fact be receiving a program, and that program could be hos-
tile. Mechanisms in a computer are supposed to keep data and program
separate, but these mechanisms are not foolproof and can sometimes be
tricked into allowing the computer to interpret data as instructions. It is

can be programs that can penetrate the computer’s security, and opening

Last, the representation of information as sequences of bits has

facilitated the use of various mathematical techniques—cryptographic
techniques—to protect such information. Cryptography has many pur-
poses: to ensure the integrity of data (i.e., to ensure that data retrieved
or received are identical to data originally stored or sent), to authenticate

-
tiality of information that may have come improperly into the possession

To understand how cryptographic methods span a range of com-

munication and storage needs, consider the general problem of securing

accomplished by Alice writing a letter containing her signature (authen-

tication). The letter was sealed inside a container to prevent accidental

an unbroken seal, it meant that the letter had not been disclosed or altered
(data integrity), and Bob would verify Alice’s signature and read the mes-
sage. If he received the container with a broken seal, Bob would then take
appropriate actions.
With modern cryptographic techniques, each of the steps remains

work. Mathematical operations can scramble (encrypt) the bit sequences

of them cannot interpret their meaning. Other mathematical operations

descramble (decrypt) the scrambled bits so that they can be interpreted
properly and the information they represent can be recovered. Still
other operations can be used to “sign” a piece of information in a way
that associates a particular party with that information. (Note, however,
that signed information can always be separated from its signature,
and a different signature (and party) can then be associated with that
information.)

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

SOME BASICS OF COMPUTING AND COMMUNICATIONS TECHNOLOGY 21

2.2 COMMUNICATIONS TECHNOLOGY AND THE INTERNET

Computers are frequently connected through networks to communi-
cate with each other, thus magnifying their usefulness. Furthermore, since
computers can be embedded in almost any device, arrays of devices can
be created that work together for coherent and common purposes.

which is a diverse set of independent networks, interlinked to provide

its users with the appearance of a single, uniform network. That is, the
Internet is a network of networks. The networks that compose the Internet
share a common architecture (how the components of the networks inter-
relate) and protocols (standards governing the interchange of data) that
enable communication within and among the constituent networks. These
networks themselves range in scale from point-to-point links between
individual devices (such as Bluetooth) to the relatively small networks
-

Internally, the Internet has two types of elements: communication

links, channels over which data travel from point to point; and routers,
computers at the network’s nodes that direct data arriving along incoming
links to outgoing links that will take the data toward their destinations.
Data travel along the Internet’s communication links in packets

format and header information. Header information includes informa-

tion such as the origin and destination IP addresses of a packet, which
routers use to determine which link to direct the packet along. A message
from a sender to a receiver might be broken into multiple packets, each
of which might follow a different path through the Internet. Information
in the packets’ headers enables the message to be restored to its proper
order at its destination. However, as a general rule, it is not possible to
specify in advance the particular sequence of routers that will handle
a given packet—the routers themselves make decisions about where to
send a packet in real time, based on a variety of information available to
those routers about the cost of transmission to different routers, outages
in adjacent routers, and so on.
The origins and destinations of data transiting the Internet are com-
puters (or other digital devices), which are typically connected to the
Internet through an Internet service provider (ISP) that handles the nec-
essary technical and administrative arrangements. The links and routers
of the Internet provide the critical connectivity among source and des-
tination computers, but nothing else. (Distinguishing between source/

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

22 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

BOX 2.1 A More Refined View of Internet Architecture

The separation of the Internet into nodes for transmitting and receiving data
and links and routers for moving data through the Internet captures the essence
of its original architectural design, but in truth it presents a somewhat oversimpli-
fied picture. Some of the more important adjustments to this picture include the
following:

• Content delivery networks. Certain popular sites on the Web serve a

large number of end users. To increase the speed of delivering content from these
sites to end users, these Web sites replicate the most popular content on content
delivery networks located across the Internet. When a user requests content from
these popular sites, the content is in fact delivered to the user by one of these
content delivery networks.
• Other networks. As noted in the main text, the Internet is a network of
networks. Each network within the Internet is controlled by some entity, such as
an Internet service provider, a business enterprise, a government agency, and
so on. The controlling entity has relationships with the users to whom it provides
service and with the entity controlling the larger network within which this network
is embedded. Each relationship is governed by negotiated terms of service. These
entities do have capabilities for monitoring traffic and modulating connectivity on
their networks, so that, for example, they can cut off certain nodes that are pumping
hostile or adverse traffic onto the larger Internet.
• Cloud computing and storage. Cloud computing and storage, as well as
services such as Internet search, are Internet applications. Various vendors also
sell to end users cloud-based services that provide software and even infrastruc-
ture on demand. However, from the standpoint of individual users, cloud computing
may appear to be located among the links and routers, because the information
technology on which such applications run is not co-located with end users.

Misbehavior in any of these components reroutes, delays, or drops traffic

inappropriately, or otherwise provides unreliable information, thus posing security
risks.

destination computers transmitting and receiving data and links and

routers moving data through the Internet captures the essence of its origi-
nal architectural design, but in truth it presents a somewhat oversimpli-

Figure 2.1 provides a schematic that illustrates the architecture of

the Internet. Applications that are directly useful to users are provided
by the source and destination computers. Applications are connected to
each other using packet-switching technology, which runs on the physi-

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

SOME BASICS OF COMPUTING AND COMMUNICATIONS TECHNOLOGY 23

FIGURE 2.1 A schematic of the Internet. Three “layers” of the Internet are de-
picted. The top and bottom layers (the applications layer and the physical in-
frastructure layer) are shown as much wider than the middle layer (the packet-
switching layer), because within each of the wide layers is found a large number
of largely independent actors. But within the packet-switching layer, the number
of relevant actors is much smaller, and those that do have some control over the
packet-switching layer act in tight coordination.

networks, local area networks). Users navigate the Internet using the

The various applications, the packet-switching technology, and the

physical infrastructure are often called layers of the Internet’s architec-

different parties control different layers. Applications (and the infrastruc-

ture on which they run) are developed, deployed, and controlled by mil-
lions of different entities—companies, individuals, government agencies,
and so on. Each of these entities decides what it wants to do, and “puts
it on the Internet.” The physical infrastructure responsible for carrying
packets is also controlled by a diverse group of telecommunications and

interests—monetary or otherwise—in being able to carry data packets.

(In the United States, these service providers are mostly entities in the
private sector.)

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

24 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

BOX 2.2 Internet Navigation

How can a user navigate from one computer to another on the Internet? To
navigate—to follow a course to a goal—across any space requires a method for
designating locations in that space. On a topographic map, each location is des-
ignated by a combination of a latitude and a longitude. In the telephone system,
a telephone number corresponding to a landline designates each location. On
a street map, locations are designated by street addresses. Just like a physical
neighborhood, the Internet has addresses—32- or 128-bit numbers, called IP ad-
dresses (IP for Internet Protocol)—that define the specific location of every device
on the Internet.
Also like the physical world, the Internet has names—called domain names,
which are generally more easily remembered and informative than the addresses
that are attached to most devices—that serve as unchanging identifiers of those
devices even when their specific addresses are changed. The use of domain
names on the Internet relies on a system of servers—called name servers—that
translate the user-friendly domain names into the corresponding IP addresses.
This system of addresses and names linked by name servers is called the Domain
Name System (DNS) and is the basic infrastructure supporting navigation across
the Internet.
Conceptually, the DNS is in essence a directory assistance service. George
uses directory assistance to look up Sam’s number, so that George can call Sam.
Similarly, a user who wants to visit the home page of the National Academy of
Sciences must either know that the IP address for this page is 144.171.1.30, or use
the DNS to perform the lookup for www.nas.edu. The user gives the name www.
nas.edu to a DNS name server and receives in return the IP address 144.171.1.30.
However, in practice, the user almost never calls on the DNS explicitly—rather, the
entire process of DNS lookup is hidden from the user in the process of viewing a
Web page, sending e-mail, and so on.
Disruptions to the DNS affect the user experience. Disruptions may prevent
users from accessing the Web sites of their choosing. A disruption can lead a user
to a “look-alike” Web site pretending to be its legitimate counterpart. If the look-alike
site is operated by a malevolent actors, the tricked user may lose control of vital
information (such as login credentials).

a set of standards for the Internet Protocol discussed above)—is managed

not under the control of any government, although governments (and

many others as well) have input into the processes that evolve the Internet
Protocol.
It is the separation of the Internet into different layers that are man-
aged separately that is responsible more than any other factor for the

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

SOME BASICS OF COMPUTING AND COMMUNICATIONS TECHNOLOGY 25

BOX 2.3 The Internet Engineering Task Force

The Internet Engineering Task Force (IETF) is a large, open international

community of network designers, operators, vendors, and researchers concerned
with the evolution of the Internet architecture and the smooth operation of the In-
ternet. It is open to any interested individual. The actual technical work of the IETF
is done in its working groups, which are organized by topic into several areas (e.g.,
routing, transport, security, and so on). Much of the work is handled via mailing
lists. The IETF holds meetings three times per year.
The IETF describes its mission as “mak[ing] the Internet work better by pro-
ducing high quality, relevant technical documents that influence the way people
design, use, and manage the Internet.” The IETF adheres to a number of principles:

• Open process. Any interested person can participate in the work, know
what is being decided, and make his or her voice heard on an issue. All IETF docu-
ments, mailing lists, attendance lists, and meeting minutes are publicly available
on the Internet.
• Technical competence. The issues addressed in IETF-produced docu-
ments are issues that the IETF has the competence to speak to, and the IETF
is willing to listen to technically competent input from any source. The IETF’s
technical competence also means that IETF output is designed to sound network
engineering principles, an element often referred to as “engineering quality.”
• Volunteer core. IETF participants and leaders are people who come to the
IETF because they want to do work that furthers IETF’s mission of “making the
Internet work better.”
• Rough consensus and running code. The IETF makes standards based on
the combined engineering judgment of its participants and their real-world experi-
ence in implementing and deploying its specifications.
• Protocol ownership. When the IETF takes ownership of a protocol or func-
tion, it accepts the responsibility for all aspects of the protocol, even though some
aspects may rarely or never be seen on the Internet. Conversely, when the IETF
is not responsible for a protocol or function, it does not attempt to exert control
over it, even though such a protocol or function may at times touch or affect the
Internet.

SOURCE: Adapted from material found at the IETF Web site at http://www.ietf.org.

data from A to B without regard for the content of that data), any given
applications provider can architect a service without having to obtain
agreement from any other party. As long as the data packets are properly
formed and adhere to the standard Internet Protocol, the application pro-
vider can be assured that the transport mechanisms will accept the data
for forwarding to users of the application. Interpretation of those packets
is the responsibility of programs on the receiver’s end.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

26 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

Put differently, most of the service innovation—that is, the applica-

tions directly useful to users—takes place at the source and destination
computers, independently of the network itself, apart from the techni-
cal need for sending and receiving packets that conform to the Internet
Protocol. The Internet’s architecture is an embodiment of the end-to-end
argument in systems design that says that “the network should provide
a very basic level of service—data transport—and that the intelligence—
the information processing needed to provide applications—should be
located in or close to the devices attached to . . . the network.”1 As a result,
innovation requires no coordination with network architects or operators,
as long as the basic protocols are adhered to. All of the services commonly
available on the Internet today—e-mail, the World Wide Web, Facebook,
Google search services, voice-over-IP communications services, and so

Why do these aspects of communications technology and the Internet matter

for security?
The fundamental architecture of the Internet also has many implica-
tions for security. In particular, the end-to-end design philosophy of the
Internet is that the Internet should only provide capability for transport-
ing information from one point to another. As such, the Internet’s design
philosophy makes no special provision for security services. Instead, the
Internet operates under the assumption that any properly formed packet
found on the network is legitimate; routers forward such packets to the
appropriate address—and don’t do anything else.
Discussions of cybersecurity for “the Internet” often carry a built-in
ambiguity. From the standpoint of most users, “the Internet” refers to all
of the layers depicted in Figure 2.1—that is, users’ conception of “Internet
security” includes the security of the source and destination computers
connected to the Internet. From the standpoint of most technologists,
however, “the Internet” refers only to the packet-switching technology.
This distinction is important because the locus of many cybersecurity
problems is found in the applications that use the Internet.
In principle, security mechanisms can be situated at every layer.
Depending on the layer, these mechanisms will have different properties
and capabilities, and will be implemented by different parties.
Contrary to the Internet’s end-to-end design philosophy, some parties
argue that the Internet needs security services that are more embedded
into the Internet’s architecture and protocols and active in the packet-

for a wide range of security threats, and perhaps take action to curb or

System Design,” ACM Transactions on Computer Systems 2(4):277-288, 1984.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

SOME BASICS OF COMPUTING AND COMMUNICATIONS TECHNOLOGY 27

-
cation users. Further, this argument implies that the end-to-end design
philosophy has impeded or even prevented the growth of such security
services.
Those favoring the preservation of the end-to-end design philosophy
argue that because of the higher potential for inadvertent disruption
as a side effect of a change in architecture or protocols, every proposed
change must be tested and validated. Because such changes potentially

and time-consuming—and thus raise concerns about negative impacts

on the pace of innovation in new Internet-based products and services.
Moreover, actions driven by the requirements of protocols necessarily
slow down the speed at which packets can be forwarded to their destina-
tions. And any mechanisms to enforce security mechanisms embedded in
Internet protocols may themselves be vulnerable to compromise that may
have wide-ranging effects.
Others argue that security services should be the responsibility of the
developers of individual applications. In this view, the security function-
ality provided can be tailored to the needs of the application, and provid-

the performance of the Internet as a whole. In addition, the scope and

nature of security services provided need not be negotiated with stake-
holders responsible for other applications. Countering this viewpoint is
the perspective that applications-based security is a burden on end users.
Some security services can be provided at a distance from the applica-

them when they detect that a user’s security has been compromised. Such
offerings are not uncommon, and they have a modest impact on users’

Whether and how to violate the end-to-end principle in the name of

security is an important policy issue today. How this issue is resolved will
have profound implications for security.

2.3 INFORMATION TECHNOLOGY SYSTEMS

Information technology (IT) systems integrate computing technol-
ogy, communication technology, people (such as developers, operators,
and users), procedures, and more. Interfaces to other systems and control

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

28 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

Why do these properties of IT systems matter for security?

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

On the Nature of Cybersecurity

Chapter 1 points out that bad things that can happen in cyberspace
fall into a number of different categories: cybercrime; losses of privacy;
misappropriation of intellectual property such as proprietary software,
R&D work, blueprints, trade secrets, and other product information; espi-
onage; disruption of services; destruction of or damage to physical prop-
erty; and threats to national security. After a brief note about terminology,
this chapter addresses how adversarial cyber operations can result in any
or all of these outcomes.

3.1 ON THE TERMINOLOGY FOR DISCUSSIONS

OF CYBERSECURITY AND PUBLIC POLICY
In developing this report, the committee was faced with an unfortu-

mind the conceptual basis) for discussions about cybersecurity and pub-

where it is well known that translations among English, Chinese, German,

Russian, Arabic, French, and Hebrew can be problematic. But it is also the
case that even within the United States, different communities—and even
different individuals within those communities—use terminology whose

-
cerns about cybersecurity have spread rapidly in the past 10 years to many

29

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

30 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

be established under such circumstances. Further, different vocabularies

and orientation that might differentiate various communities.

As an illustration, consider the term “cyberattack.” The term has been
used variously to include:

• Any hostile or unfriendly action taken against a computer system

or network regardless of purpose or outcome.
• Any hostile or unfriendly action taken against a computer system
or network if (and only if) that action is intended to cause a denial of ser-
vice (discussed below) or damage to or destruction of information stored

-
tration (the essential characteristic of cyber espionage) and other kinds of

law and domestic legal authorities for conducting such actions; these
points are discussed further in Section 4.2.3 on domestic and international
law.)
• Any hostile or unfriendly action taken against a computer system
or network if (and only if) that action is intended to cause damage to or
destruction of information stored in or transiting through that system or
network and is effected primarily through the direct use of information

actions can seriously disrupt services provided by the attacked computer

or cables.)

Another frequent confusion in the literature or in discussions involves

-

making a copy of it and conveying that copy into an adversary’s hands.

is a mechanism used

X) means “to take advan-

tage of” (as in “an adversary can take advantage of vulnerability X”).
The reader is cautioned that there are many terms in cybersecurity

on some particular vocabulary, but until that day comes, participants in

special care to ensure that they understand a speaker’s or writer’s intent

when certain terms are used.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

ON THE NATURE OF CYBERSECURITY 31

3.2 WHAT IT MEANS TO BE AN ADVERSARY IN CYBERSPACE

In this report, an adversarial (or hostile) cyber operation is one or
more unfriendly actions that are taken by an adversary (or equivalently,
an intruder) against a computer system or network for the ultimate pur-

operations” or “offensive operations in cyberspace” are roughly equiva-

lent from an action standpoint but are terms for operations conducted by

can be used more or less interchangeably with “hostile cyber operation,”

but in this report will usually refer to an adversarial cyber operation con-
ducted sometime in the past.

attack.

3.2.1 Cyber Exploitation

should not have access to it. To date, the vast majority—nearly all—of

stored information such as Social Security numbers, medical records,

and bid information, and software source code have all been obtained by

-
-
ered, the credit card owner can notify the bank and prevent the card’s
further use.

the winter holiday season of 2013, when the Target retail store chain
suffered a data breach in which personal information belonging to 70
million to 110 million people was stolen.1 Such information included
names, mailing and e-mail addresses, phone numbers, and credit card
numbers. Shortly after the breach occurred, observers noted an order-
of-magnitude increase in the number of high-value stolen cards on black
market Web sites, from nearly every bank and credit union. The Target

1 New
York Times http://www.nytimes.com/2014/01/11/business/
target-breach-affected-70-million-customers.html.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

32 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

ending February 1, 2014, relative to the comparable period a year earlier,

covered 72 percent).2 Financial institutions spent $200 million to replace

credit cards after the breach.3

stored on a computer or network, they can also seek information in the

physical vicinity of a computer when the computer has audio and/or
video capabilities. In such cases, an intruder can penetrate the computer
and activate the on-board camera or microphone without the knowledge
of the user, and thus surreptitiously see what is in front of the camera and

of the new Miss Teen USA and took pictures that he subsequently used to
blackmail the victim.4
the warning light on the camera from turning on.

3.2.2 Cyberattack
A cyberattack is an action intended to cause a denial of service or
damage to or destruction of information stored in or transiting through
an information technology system or network.
A denial-of-service (DOS) attack is intended to render a properly
functioning system or network unavailable for normal use. A DOS attack
may mean that the e-mail does not go through, or the computer simply

-
trolled by the system). As a rule, the effects of a DOS attack vanish when
the attack ceases. DOS attacks are not uncommon, and have occurred
against individual corporations, government agencies (both civilian and
military), and nations.

requests for service (e.g., requests to display a Web page, to receive and

2 Paul Ziobro, “Target Earnings Suffer After Breach,” Wall Street Journal, February 27,

2014, available at http://online.wsj.com/news/articles/SB2000142405270230425560457940

6694182132568.
3 Saabira Chaudhuri, “Cost of Replacing Credit Cards After Target Breach Estimated

at $200 Million,” Wall Street Journal, February 19, 2014, available at http://online.wsj.com/
news/articles/SB10001424052702304675504579391080333769014.
4 Nate Anderson, “Webcam Spying Goes Mainstream as Miss Teen USA Describes Hack,”

Ars Technica, April 16, 2013, available at http://arstechnica.com/tech-policy/2013/08/

webcam-spying-goes-mainstream-as-miss-teen-usa-describes-hack/.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

ON THE NATURE OF CYBERSECURITY 33

to handle legitimate requests for service and thus blocking others from
using those resources. Such an attack is relatively easy to block if these
bogus requests for service come from a single source, because the tar-
get can simply drop all service requests from that source. A distributed

many different machines. Since each of these different machines might, in

principle, be a legitimate requester of service, dropping all of them runs a
higher risk of denying service to legitimate parties. Botnets—a collection

when a series of distributed denial-of-service (DDOS) attacks began on a

range of Estonian government Web sites, media sites, and online banking
services.5 Attacks were largely conducted using botnets to create network

around the world. The duration and intensity of attacks varied across
the Web sites attacked; most attacks lasted 1 minute to 1 hour, and a few
lasted up to 10 hours.6 Attacks were stopped when the attackers ceased
their efforts rather than being stopped by Estonian defensive measures.7
The Estonian government was quick to claim links between those con-
ducting the attacks and the Russian government,8 -
cials denied any involvement.9
A damaging or destructive attack can alter a computer’s program-
ming in such a way that the computer does not later behave as it should.
If a physical device (such as a generator) is controlled by the computer,
the operation of that device may be compromised. The attack may also

being sent from one point to another). Such an attack may delete data

Although the preparation for an attack may be surreptitious (so that

5 Economist

Estonia, presentation to Centre for Strategic and International Studies, November 28, 2007.
6

asert.arbornetworks.com/2007/05/estonian-ddos-attacks-a-summary-to-date/.
7 McAfee Corporation, Cybercrime: The Next Wave, McAfee Virtual Criminology Report,

8 Maria Danilova, “Anti-Estonia Protests Escalate in Moscow,” Washington Post, May 2,

2007, available at http://www.washingtonpost.com/wp-dyn/content/article/2007/05/02/

AR2007050200671_2.html. The article quotes both the Estonian president and the Estonian
ambassador to Russia as claiming Kremlin involvement.
9 McAfee Corporation, Cybercrime: The Next Wave, 2007, p. 7.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

34 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

BOX 3.1 Botnets

An attack technology of particular power and significance is the botnet. Bot-

nets are collections of victimized computers that are remotely controlled by the
attacker. A victimized computer—an individual bot—is connected to the Internet,
usually with an “always-on” broadband connection, and is running software clan-
destinely introduced by the attacker. The attack value of a botnet arises from the
sheer number of computers that an attacker can control—often tens or hundreds of
thousands and perhaps as many as a million. (An individual unprotected computer
may be part of multiple botnets.)
Since all of these computers are under one party’s control, the botnet can act
as a powerful amplifier of an adversary’s actions. In addition, by acting through a
botnet, a malevolent actor can be more anonymous (because his actions can be
routed through many computers belonging to third parties). The use of botnets can
also help to defeat defensive techniques that identify certain computers as sources
of hostile traffic—as one bot in the net is identified as a source of hostile traffic, the
adversary simply shifts to a second, and a third, and a fourth bot.
An attacker usually builds a botnet by finding a few individual computers to
compromise, perhaps using one of the tools described above. The first hostile
action that these initial zombies take is to find other machines to compromise—a
task that can be undertaken in an automatic manner, and so the size of the botnet
can grow quite rapidly.
A botnet controller can communicate with its botnet and still stay in the back-
ground, unidentified and far away from any action, while the individual bots—which
may belong mostly to innocent parties that may be located anywhere in the world—
are the ones that are visible to the party under attack. The botnet controller has
great flexibility in the actions it may take—it may direct all of the bots to take the
same action, or each of them to take different actions.
Individual bots can probe their immediate environment and take action based
on the results of that probe. A bot can pass information it finds back to its control-
ler, or it can take destructive action, which may be triggered at a certain time, or
perhaps when the resident bot receives a subsequent communication from the
controller. Bots can also obtain new programming from their controllers, giving
them great flexibility with respect to the range of harmful tasks they can conduct
at any time.
Perhaps the most important point about botnets is the great flexibility they
offer to a malevolent actor. Adversaries can obtain botnet services on the open
(black) market for hacking services (e.g., the botnets used to attack Estonia in
2007 were apparently rented).1 Although botnets are known to be well suited to
distributed denial-of-service attacks, it is safe to say that their full range of utility
for adversarial operations in cyberspace has not yet been examined.

1 Mark Landler and John Markoff, “Digital Fears Emerge After Data Siege in Estonia,” New York

Times, May 29, 2007, available at http://www.nytimes.com/2007/05/29/technology/29estonia.

html?pagewanted=all&_r=0.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

ON THE NATURE OF CYBERSECURITY 35

the victim does not have a chance to prepare for it), the effects of an attack
may or may not be concealed. If the intent of an attack is to destroy a

be traceable to a cyberattack on the controlling computer). But if the intent

of an attack is to corrupt vital data, small amounts of corruption may not
be visible (and small amounts of corruption continued over time could
result in undetectable large-scale corruption).

hostile cyber operation that targeted the computer-controlled centrifuges

10 After taking control

ways that would cause them to self-destruct, unbeknownst to the Iranian

centrifuge operators.

3.2.3 An Important Commonality for Exploitation and Attack

they generally use the same basic technical approaches to penetrate the
security of a system or network, even though they have different out-

the latter results in damage to information or information technology—

and whatever else that technology controls.) The reason for this similarity
is addressed below in Section 3.4. Also, a single offensive operation can, in

3.3 INHERENT VULNERABILITIES OF

INFORMATION TECHNOLOGY
Designing a completely secure, totally unhackable computer is easy—

system is entirely secure (see the left side of Figure 3.1). Of course, this

useful (right side of Figure 3.1).

A computer can produce useful results only when it is provided with
“correct” or “good” information. But what counts as “good” and “bad”
information depends on decisions made by fallible human beings—and
in particular humans who may be tricked into believing that certain

10 IEEE Spectrum, February 26, 2013,

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

36 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

FIGURE 3.1 A secure but useless computer (left), and an insecure but useful
computer (right).

information or programs are good when they are in fact bad. This fact
underscores a basic point about most adversarial cyber operations—the

Two other factors compound the inherent vulnerabilities of infor-

mation technology. First, the costs of an adversarial cyber operation are
usually small compared with the costs of defending against it. This asym-
metry arises because the victim (the defender) must succeed every time
the intruder acts (and may even have to take defensive action long after
the intruder’s initial penetration if the intruder has left behind an implant
for a future attack). By contrast, the intruder needs to succeed in his efforts
only once, and if he pays no penalty for a failed operation, he can continue
his efforts until he succeeds or chooses to stop.11

whose proper (secure) operation requires many actors to have behaved

correctly and appropriately and to continue to do so in the future. Each
-

11 This asymmetry applies primarily when the intruder can choose when to act, that

is, when the precise timing of the intrusion’s success does not matter. If the intruder must

of tries to succeed, and the asymmetry between intruder and defender may be reduced

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

ON THE NATURE OF CYBERSECURITY 37

BOX 3.2 A Simple Example of Deception

HTML (an acronym for Hypertext Markup Language) is a computer language

that is used to display Web pages. One feature of this language is that it enables
the conversion of text into links to other Web pages. The user sees on the page a
certain text string, but the text string conceals a link—clicking on the “click here”
text brings the user to the Web site corresponding to the link. (Although the link
can be revealed if the user’s pointing device hovers over the text string, many users
do not perform such a check.)
But there are no limits on the text string to be displayed to the user, and so it
is possible for the user to see on the screen “www.example.com,” but underneath
the text is really the link for another Web page, such as www.hackyourcomputer.
com. Clicking on the text displayed on the screen takes the user to the bad site
rather than the intended site.

something that many people do every day with ease. The user can type
the name of a Web page (called a URL, uniform resource locator) as
depicted in the top of Figure 3.2, and the proper Web page appears in a
second or two as depicted at the bottom of Figure 3.2. In addition, the user
also wants the display of the Web page to be the only thing that happens

things that the user does not want to happen.

Behind this apparent simplicity is a multitude of steps, as depicted
-

by any of these actors may mean that the requested page does not appear
as required.
Inspection of Figure 3.3 with a powerful magnifying lens (not sup-

preparation of the computer used to display the page, preparation of

the Web page that is to be displayed, and the actual retrieval of the Web
page from where it is hosted to where it is displayed. Each of these parts
is itself composed of actions involving a number of actors. Some of the
actors shown in Figure 3.3 include:

• The provider of the hardware and the operating system;

• The delivery service that handles the computer in transit (e.g.,

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

38 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

FIGURE 3.2 Viewing a Web page, from the user’s perspective. When a user types
a Web page’s name (top), the corresponding page appears and can be read (bottom).
Figure 3.2a and b

Copyright © National Academy of Sciences. All rights reserved.

 User start
Design Web
Provider of Select ISP
Design App O/S SSelect/purchase
l / h
Provider start computer VPN provider
Provider of
Hardware
DNS registrar; Boot computer
Development
Create web Activate DNS DNS provider Use VPN
tools
page name Access ISP Run DHCP
Specify
p y DNS
Install on Elect to use SSL
Server software; Certificate
server Running system available
system operator authority
Provider of DNS provider
Elect to use Obtain merchant
browser Select browser
CDN certificate
CDN
provider Set up secure page Download Install browser
mechanism
Server software; Configured system available
system operator
Obtain URL

Web page available Extract DNS

Browser
name

All ISPs Retrieve Convert DNS DNS

along path certificate to IP server/system

Browser certificate Verify All ISPs

Retrieve page along path
authority certificate

User Accept Render page Browser

cognition/perception verification
At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

Retrieve embedded All of these

elements steps

View retrieved page

Copyright © National Academy of Sciences. All rights reserved.

FIGURE 3.3 Viewing a Web page, behind the scenes. SOURCE: David Clark, “Control Point Analysis,” ECIR Working Paper, 2012,

control-point-analysis. Reprinted by permission.

39
At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

40 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

the factory to the proper destination without allowing an adversary to

tamper with it;
• The Internet service provider that provides Internet service to the
location where the user accesses the Web page;
• The party responsible for the Internet browser that the user runs to
access the Web page;
• The party or parties responsible for various add-ons that the

• The developer of the tools for creating Web pages;

• The operator of the server that hosts the Web page to be accessed;
• The provider of software for the host server;
• Providers of the advertisement(s) that might be served up along
with the Web page;
• The Domain Name System registrar that registers the name of the
Web site where the Web page can be found;
• The DNS provider that translates the name of the Web site to a
numerical Internet Protocol address such as 144.171.1.4;
•
the Web site is in fact the properly registered operator; and
• All of the Internet service providers along the connection path
between the host and the user.

Each of these actors must carry out correctly the role it plays in
-
ing protocols if packets are to reach their destination. Moreover, each of
these actors could take (or be tricked into taking) one or more actions
that thwart the user’s intent in retrieving a given Web page, which is to
receive the requested Web page promptly and to have only that task be
accomplished, and not have any other unrequested task be accomplished.

3.4 THE ANATOMY OF ADVERSARIAL

ACTIVITIES IN CYBERSPACE
Adversarial operations in cyberspace against a system or network
usually require penetration of the system or network’s security to deliver
a payload that takes action in accordance with the intruder’s wishes
against the target of interest (e.g., against any of the entities shown in
ovals in Figure 3.3). The payload is usually computer code, and is also
known as malware. (In some cases, the payload could be instructions or
commands issued to the computer by a malevolent actor.)

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

ON THE NATURE OF CYBERSECURITY 41

a problem very different from that posed by the same cabinet located
-
net, the intruder might take advantage of an easily pickable lock on the
cabinet—that is, an easily pickable lock is a vulnerability. The payload in

-
tion on those papers, perhaps by replacing certain pages with pages of
the intruder’s creation (i.e., he alters the data recorded on the pages),
he can pour ink over the papers (i.e., he renders the data unavailable to
any legitimate user), or he can copy the papers and take the copies away,

3.4.1 Cyber Penetration

Access

one that the intruder need spend only a little effort preparing and the

target that is known to be connected to the Internet. Public Web sites are

the Internet to be useful.

Hard targets are those that require a great deal of preparation on the
part of the intruder and where access to the target can be gained only
at great effort or may even be impossible for all practical purposes. For
-
nected to the Internet for the foreseeable future, which means that launch-
ing a cyberattack against such a plane will require some kind of harder-
to-achieve access to introduce a vulnerability that can be used later. As a
general rule, sensitive and important computer systems or networks are
likely to fall into the category of hard targets.
Access paths to a target include those in the following categories:

• Remote access, in which the intruder is at some distance from the

remote access is that of an adversary computer attacked through the

accessing an adversary computer through a dial-up modem attached

to it or through penetration of the wireless network to which it is con-
nected. Malevolent actors are constantly searching for new computers

computer, and in some cases, such penetration takes only a matter of

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

42 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

minutes or hours from the moment of initial connection to the Internet,

even without its owner taking any other action at all.12

computer language used for managing data input and data manipulation

to insert (“inject”) database commands of his own into the input. In a

making 32 million user names and passwords available to intruders.13 In

Federal Trade Commission.14

• Close access, in which the penetration of a system or network takes
place through the local installation of hardware or software functionality
-
imity to the computer or network of interest. Close access is a possibility

conduct than remote access.

to The Telegraph, criminal gangs in China gained access to the supply

chain for a certain line of chip-and-pin credit card readers.15 The gangs
-
-
nal enterprises. The readers were repackaged with virtually no physical
traces of tampering and shipped directly to several European countries.
Details collected from the cards were used to make duplicate credit cards,

12 Survival Time, available at http://isc.sans.org/survivaltime.html.

was rendered unusable through online attacks. The computer was probed within 30 seconds

13 SC
Magazine,
compromises-32-million-passwords/article/159676/.
14

SC Magazine,
rockyou-to-pay-ftc-250k-after-breach-of-32m-passwords/article/233992/.
15 Henry Samuel, “Chip and Pin Scam ‘Has Netted Millions from British Shoppers,’”

The Telegraph, October 10, 2008, available at http://www.telegraph.co.uk/news/uknews/

law-and-order/3173346/Chip-and-pin-scam-has-netted-millions-from-British-shoppers.
html.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

ON THE NATURE OF CYBERSECURITY 43

BOX 3.3 Close Access Through the

Information Technology Supply Chain

Systems (and their components) can be penetrated in design, development,

testing, production, distribution, installation, configuration, maintenance, and op-
eration. In most cases, the supply chain is only loosely managed, which means
that the party supplying the system to the end user may well not have full control
over the entire chain. Examples of possible supply-chain penetrations include the
following:

• A vendor with an employee loyal to an adversary introduces malicious

hardware or code at the factory as part of a system component for which the
vendor is a subcontractor in a critical system.
• An adversary intercepts a set of USB flash drives ordered by the victim
for distribution at a conference and substitutes a different doctored set for actual
delivery to the victims. In addition to the conference proceedings, the adversary
places hostile software on the flash drives that the victims install when they plug
in the drives.
• An adversary writes an application for a smart device that performs some
useful function (e.g., an app that displays a clock on the device’s face) but also
includes malware that sends the contact list on the device to the adversary.
• An adversary bribes a shipping clerk to look the other way when the com-
puter is on the loading dock for transport to the victim, opens the box, replaces the
video card installed by the vendor with one modified by the intruder, and reseals
the box.

A supply chain penetration may be effected late in the chain, for example,
against a deployed computer in operation or one that is awaiting delivery on a
loading dock. In these cases, such a penetration is by its nature narrowly and
specifically targeted, and it is also not scalable, because the number of computers
that can be penetrated is proportional to the number of human assets available. In
other cases, a supply chain penetration may be effected early in the supply chain
(e.g., introducing a vulnerability during development), and high leverage against
many different targets might result from such an attack.

International estimated that thousands of customer accounts were com-

promised, netting millions of dollars in ill-gotten gains before the breach
was discovered.
• Social access. An intruder can gain access by taking advantage of

trust the intentions of a known and/or friendly party than an unknown

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

44 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

IT systems of interest can often be compromised through recruitment,

can be of enormous value to the intruder. In some cases, a trusted insider

“goes bad” for his or her own reasons and by virtue of the trust placed
in him is able to take advantage of his own credentials for improper
purposes—this is the classical “insider threat.” Social engineering is the
use of deception and trickery for gaining access. Social engineering results
in the intruder gaining access to the credentials and therefore the access
privileges of those the intruder has tricked.

penetrate the security of computer systems, consider the case of Edward

-
ments from the National Security Agency and other government agencies
in the United States and abroad that described electronic surveillance

nature of these documents, many have asked how their security could
have been compromised. According to a Reuters news report,16 Snowden

him with their credentials, telling them that he needed that information
in his role as systems administrator.
Sometimes, social engineering is combined with either remote access
or close access methods. An intruder may make contact through the Inter-
net with someone likely to have privileges on the system or network of
interest. Through that contact, the intruder can trick the person into taking

intruder sends the victim an e-mail with a link to a Web page and when
the victim clicks on that link, the Web page may take advantage of a
technical vulnerability in the browser to run a hostile program of its own
choosing on the user’s computer, often or usually without the permission
or even the knowledge of the user.
Social engineering can be combined with close access techniques in
-

computer. Because some systems support an “auto-run” feature for insert-

able media (i.e., when the medium is inserted, the system automatically

ports can be glued shut, but such a countermeasure also makes it impos-

16
Mark Hosenball and Warren Strobel, “Snowden Persuaded Other NSA Workers to
Give Up Passwords–Sources,” Reuters, November 7, 2013, available at http://www.reuters.
com/article/2013/11/08/net-us-usa-security-snowden-idUSBRE9A703020131108.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

ON THE NATURE OF CYBERSECURITY 45

sible to use the USB ports for any

The red team scattered USB drives in parking lots, smoking areas, and

drive was inserted, and the result was that 75 percent of the USB drives
distributed were inserted into a computer.17

Vulnerability
Access is only one aspect of a penetration, which also requires the
intruder to take advantage of a vulnerability in the target system or

the target such as a default setting that leaves system protections turned
off. Vulnerabilities arise from the characteristics of information technol-
ogy and information technology systems described above.

door for opportunistic use of the vulnerability by an adversary who learns

discovered and can then be used by anyone with moderate technical skills
until a patch can be developed, disseminated, and installed. Intruders
with the time and resources may also discover unintentional defects that
they protect as valuable secrets that can be used when necessary. As long
as those defects go unaddressed, the vulnerabilities they create can be
used by the intruder.
-

built into programs by their creators; the purpose of a “back door” is to

enable another party to bypass security features that would otherwise
keep that other party out of the system or network. An illustration would

would have an assigned login name and password that would enable
them to do certain things (and only those things) on the Web site. But if
the program’s creator had installed a back door, a knowledgeable intruder
(perhaps in cahoots with the program’s creator) could enter a special

17 See Steve Stasiukonis, “Social Engineering, the USB Way,” Dark Reading

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

46 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

40-character password and use any login name and then be able to do
anything he wanted on the system.

vulnerability.” The term refers to a vulnerability for which the responsible

party (e.g., the vendor that provides the software) has not provided a

impact are those in a remotely accessible service that runs by default on all
versions of a widely used piece of software—under such circumstances,
an intruder could take advantage of the vulnerability in many places
nearly simultaneously, with all of the consequences that penetrations of
such scale might imply.
Those who discover such vulnerabilities in systems face the question
of what to do with them. A private party may choose to report a vulner-
ability privately to those responsible for maintaining the system so that

actions can be taken; keep a discovered/known vulnerability for its own

purposes; or sell it to the highest bidder. National governments face a
similar choice—keep it for future use in some adversarial or offensive

the susceptibility to penetration of the systems in which that vulnerability

is found. National governments as well as nongovernment entities such as

for future use.

penetration approaches and techniques, and thus may look quite simi-
lar to the victim, at least until the nature of the malware involved is
ascertained.

3.4.2 Cyber Payloads (Malware)

If an intruder is successful at penetrating a system or network, the

A payload is most often a “malware” program that is designed to

take hostile action against the system to which it has been delivered. In
general, these hostile actions can be anything that could be done by an

has entered a system, it can be programmed to reproduce and retransmit

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

ON THE NATURE OF CYBERSECURITY 47

ability for future use, and so on. The payload is what determines if an

Malware can have multiple capabilities when inserted into an adver-

sary system or network—that is, malware can be programmed to do
more than one thing. The timing of these actions can also be varied. And
if a communications channel to the intruder is available, malware can be
remotely updated. Indeed, in some cases, the initially delivered malware
consists of nothing more than a mechanism for scanning the penetrated
system to determine its technical characteristics and an update mecha-
nism to retrieve the best packages to further the malware’s operation.
Malware may be programmed to activate either immediately or when
some condition is met. In the second case, the malware sits quietly and
does nothing harmful most of the time. However, at the right moment,
-

“right moment” can be triggered because:

• A certain date and time are reached;

•
•
•

Malware may also install itself in ways that keep it from being
detected. It may delete itself, leaving behind little or no trace that it was
ever present. In some cases, malware can remain even after a computer is
scanned with anti-malware software or even when the operating system
is reinstalled from scratch.
-
puters in everyday use—run through a particular power-on sequence
when their power is turned on. The computer’s power-on sequence loads
a small program from a chip inside the computer known as the BIOS
(Basic Input-Output System), and then runs the BIOS program. The BIOS
program then loads the operating system from another part of the com-
puter, usually its hard drive. Most anti-malware software scans only the
operating system on the hard drive, assuming the BIOS chip to be intact.
But some malware is designed to modify the program on the BIOS chip,
and reinstalling the operating system simply does not touch the (modi-

targets the BIOS,18 and in 1998 it rendered several hundred thousand

18The Chernobyl virus is further documented in CERT Coordination Center, “CIH/

Chernobyl Virus,” CERT® Incident Note IN-99-03, updated April 26, 1999, available at

IN-99-03.html.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

48 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

computers entirely inoperative without physical replacement of the BIOS

chip.
Last, the payload might not take the form of hostile software at all.

advantage of a certain vulnerability to give himself remote access to

the target computer such that the intruder has all of the privileges and
capabilities that he might have if he were sitting at the keyboard of that
computer. He is then in a position to issue to the computer commands of
his own choosing, and such commands may well have a harmful effect
on the target computer.

3.4.3 Operational Considerations

Sections 3.4.1 and 3.4.2 describe the basic structure of hostile activi-
ties in cyberspace. But an intruder must take into account a number of
operational considerations if such activities are to be successful:

• Effects prediction and assessment. When planning a hostile operation,

operation has concluded, the responsible party wants to know if it was

successful. But accurate predictions about the outcome of hostile opera-

eye.
• Target selection

of sources, including open source collection, automated target selection,

in targeting may require large amounts of intelligence information.

• Fragility
the vulnerability that was taken advantage of by an intruder. Thus, an
intruder must consider the possibility that a particular penetration tool
will be usable only once or a few times.
• Rules of engagement. These rules specify what tools may be used
to conduct a hostile cyber operation, what their targets may be, what
effects may be sought, and who may conduct such operations under what

specifying these rules for a variety of different purposes (e.g., military

purposes, intelligence purposes, law enforcement purposes).
• The availability of intelligence. As a general rule, a scarcity of intelli-
gence information regarding possible targets means that any cyber opera-
tion launched against them can only be “broad-spectrum” and relatively

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

ON THE NATURE OF CYBERSECURITY 49

indiscriminate or blunt. Substantial amounts of intelligence information

about targets (and paths to those targets) are required if an operation
is intended as a very precise one directed at a particular system. Often,

3.5 CHARACTERIZING THREATS TO CYBERSECURITY

Malevolent actors in cyberspace span a very broad spectrum, rang-

to the lone intruder.

In addition to those who are motivated by pure curiosity, malevolent
actors have a range of motivations. Some are motivated by the desire to

nationalistic considerations.
The skills of malevolent actors also span a very broad range. Some
have only a rudimentary understanding of the underlying technology and
are capable only of using tools that others develop to conduct their own
operations but in general are not capable of developing new tools. Those
with an intermediate level of skill are capable of developing hacking tools
on their own.
Those with the most advanced levels of skills—that is, the high-
end threat—can identify weaknesses in target systems and networks and
develop tools to take advantage of such knowledge. Moreover, they are

support. When governments are involved, the resources of national intel-

ligence, military, and law enforcement services can be brought to bear. Of

end intruder, efforts oriented toward countering the casual adversary or

even the common cyber criminal amount to little more than speed bumps.
The availability of such resources widens the possible target set of

seeks the credit card numbers of a group of individuals. The operation

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

50 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

may not be entirely successful because some of these individuals have

defenses in place that thwart the operation on their individual machines.
But the operation taken as a whole will obtain some credit card numbers,
and an adversary that simply wants credit card numbers without regard
for who actually owns those numbers will regard this operation as a
success.
However, because of the resources available to them, high-end adver-

enormous value (“the crown jewels”). In the former case, an adversary

confronted with an adequately defended system simply moves on to
another system that is not so well defended. In the latter case, the adver-

has become known as the advanced persistent threat.

High-end adversaries—and especially major nation-state
adversaries—are also likely to have the resources that allow them to
obtain detailed information about the target system, such as knowledge
gained by having access to the source code of the software running on
the target or the schematics of the target device, or through reverse-
engineering. Success in obtaining such information is not guaranteed, of

BOX 3.4 The Advanced Persistent Threat

Discussions of high-end cybersecurity threats often make reference to the

“advanced persistent threat (APT).” One document suggests that the term was
originally coined by the U.S. Air Force in 2006 to refer to “a sophisticated adversary
engaged in [cyber] warfare in support of long-term strategic goals.”1 That is, the
APT is a party (an actor) that is technologically advanced and persistent (i.e., able
and willing to persist in its efforts).
A second usage of the term refers to the character of a cyber intrusion—one
that is technologically sophisticated (i.e., advanced) and hard to find and eliminate
(i.e., persistent). In this usage, the APT is highly focused on a particularly valu-
able target. This tight and narrow focus stands in contrast to other cyber threats
(e.g., spamming for credit card numbers) that seek targets of opportunity. An APT
typically makes use of tools and techniques that are customized to the specific
security configuration and posture of its target. Furthermore, it operates in ways
that its perpetrators hope minimize the likelihood of detection.

1 See Fortinet, Inc., “Threats on the Horizon: The Rise of the Advanced Persistent Threat,”

Solution Brief, 2013, http://www.fortinet.com/sites/default/files/solutionbrief/threats-on-the-

horizon-rise-of-advanced-persistent-threats.pdf.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

ON THE NATURE OF CYBERSECURITY 51

course, but the likelihood of success is clearly an increasing function of the

availability of resources. For instance, a country may obtain source code
and schematics of a certain vendor’s product because it can require that
the vendor make those available to its intelligence agencies as a condition
of permitting the vendor to sell products within its borders.
The high-end adversary is generally indifferent to the form that its
path to success takes, as long as that path meets various constraints such
as affordability and secrecy. In particular, the high-end adversary will

the former is easier to do than the latter.

To support this broad range of malevolent actors, there is a thriving
and robust underground marketplace for hacking tools and services.
Those wishing to conduct an adversarial operation in cyberspace can
often purchase the service with nothing more than a credit card (probably
a stolen one) or an alternative and untraceable currency such as Bitcoin.19

out of which a malevolent actor can assemble his own adversarial cyber
operation. In an environment in which such services can be bought and

A number of general observations can be made about the various

malevolent actors:

• Bad guys who want to have an effect on their targets have some
motivation to keep trying, even if their initial efforts are not successful in
intruding on a victim’s computer systems or networks.
• Bad guys nearly always make use of deception in some form—
they trick the victim into doing something that is contrary to the victim’s
interests.
• A would-be bad guy who is induced or persuaded in some way to
refrain from intruding on a victim’s computer systems or networks results
in no harm to those systems or networks, and such an outcome is just as
good as thwarting his hostile operation (and may be better if the user is
persuaded to avoid conducting such operations in the future).
• Cyber bad guys will be with us forever for the same reason that
crime will be with us forever—as long as the information stored in, pro-
cessed by, or carried through a computer system or network has value to

19

R. Velde, “Bitcoin: A Primer,” Chicago Fed Letter, Number 517, December 2013, available
at http://www.chicagofed.org/digital_assets/publications/chicago_fed_letter/2013/

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

52 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

third parties, cyber bad guys will have some reason to conduct adversarial
operations against a potential victim’s computer systems and networks.

3.6 THREAT ASSESSMENT

The process through which information is assembled and interpreted
to assess the threats faced by a potential target is known as threat assess-
ment. Threat assessments help those who are defending systems and
networks to allocate resources (money, time, effort, personnel) prior to
hostile action and to plan what they should do when they are the target

resources should be deployed to combat one particular threat over all

others or that a particular strategy would be more effective than others in
responding to a given threat.
In general, threat assessments are based on information from multiple
sources. As is discussed in Section 4.1.4, successful forensics of actual
cyber incidents provide one kind of information, yielding details about
the methodology and identity of the intruders, the damage that resulted,
and so on. Other sources of useful information may include intercepts of
communications and other signals, interviews with those knowledgeable
about intruder doctrine or operations, analysis of intruders’ documents,
photo reconnaissance, reports from intelligence agents, public writing and
speeches by relevant parties, and so on.
A threat assessment sheds light on adversary capabilities and inten-

hostile party.) What an adversary is capable of doing depends on the

tools available, the skill with which the adversary can use those tools,
and the numbers of skilled personnel available to the adversary. What
an adversary intends to do depends on the adversary’s motivation, as

target set (i.e., what targets the adversary seeks to penetrate) and in what
the adversary wishes to do or be able to do once penetration is achieved

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

Enhancing Cybersecurity

4.1 APPROACHES TO IMPROVING SECURITY

-
cance of adversarial cyber operations. The approaches described below

that some combination of them be used.

4.1.1 Reducing Reliance on Information Technology

The most basic way to improve cybersecurity is to reduce the use

of using IT must be weighed against the security risks that the use of IT
-
cient degree, and the use of IT should be rejected. In other cases, security

costs should be factored into the decision. But what should not happen
is that security risks be ignored entirely—as may sometimes be the case.

connecting a computer system to the Internet, even if not connecting

might increase costs or decrease the system’s utility. The theory underly-
ing such a decision is that the absence of an Internet connection to such
a computer will prevent intruders from gaining access to it and thus that
the computer system will be safe. In fact, this theory is not right—the lack
of such a connection reduces but does not prevent access, and thus the

53

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

54 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

safety of the computer system cannot be taken for granted forever after.
But disconnection does help under many circumstances.
The broader point can be illustrated by supervisory control and data
acquisition (SCADA) systems, some of which are connected to the Inter-
net.1 SCADA systems are used to control many elements of physical
infrastructure: electric power, gas and oil pipelines, chemical plants, fac-
tories, water and sewage, and so on. Infrastructure operators connect their
SCADA systems to the Internet to facilitate communications with them, at
least in part because connections and communications hardware that are

provide such communications. But Internet connections also potentially

provide access paths to these SCADA systems that intruders can use.
Note that disconnection from the Internet may not be easy to accom-
plish. Although SCADA systems may be taken off the Internet, connecting
these systems to administrative computers that are themselves connected

means that these SCADA systems are in fact connected—indirectly—to

the Internet.

4.1.2 Knowing That Security Has Been Penetrated

Detection
From the standpoint of an individual system or network operator,
the only thing worse than being penetrated is being penetrated and not
knowing about it. Detecting that one has been the target of a hostile cyber

action.

action) is harmful (or potentially harmful) or not harmful. Making such

decisions is problematic because what counts as harmful or not harmful
is for the most part a human decision—and such judgments may not be
made correctly. In addition, the number of nonharmful things happening
inside a computer or a network is generally quite large compared with
the number of harmful things going on. So the detection problem is nearly

One often-used technique for detecting malware is to check to see

Such checks depend on “signatures” that might be associated with the

1 See http://cyberarms.wordpress.com/2013/03/19/worldwide-map-of-internet-connected-

scada-systems/.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

ENHANCING CYBERSECURITY 55

when it was created, a hash of the program,2 and so on. Signatures might
also be associated with the path through which a program has arrived at

The Einstein program of the Department of Homeland Security (DHS)

3

By law and policy, DHS is the primary agency responsible for protecting
U.S. government agencies other than the Department of Defense and the

header information in each packet but not the content of a packet itself)
and compares that data to known patterns of such data that have previ-

dropped).
This signature-based technique for detection has two primary weak-
nesses. First, it is easy to morph the code without affecting what the
program can do so that there are an unlimited number of functionally
equivalent versions with different signatures. Second, the technique can-
not identify a program as malware if the program has never been seen
before.
Another technique for detection monitors the behavior of a program;

are behavioral signatures that help with anomaly detection, this tech-

But it is not a general solution because there is usually no reliable way to

a legitimate and benign purpose and an intruder who wishes to do that

very same thing for some nefarious purpose. In practice, this technique

something nefarious is going on when in fact it is not. A high level of false

positives annoys legitimate users, and often results in these users being
unable to get their work done.

constructed algorithm, hashes of two different bit sequences are very unlikely to have the
same hash value.
3 Department of Homeland Security, National Cyber Security Division, Computer

Emergency Readiness Team (US-CERT), Privacy Impact Assessment [of the] Einstein Program:
Collecting, Analyzing, and Sharing Computer Security Information Across the Federal Civilian
Government
privacy_pia_eisntein.pdf.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

56 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

Assessment
A hostile action taken against an individual system or network may or
may not be part of a larger adversary operation that affects many systems
simultaneously, and the scale and the nature of the systems and networks
affected in an operation are critical information for decision makers.
Detecting a coordinated adversary effort against the background noise
of ongoing hostile operations also remains an enormous challenge, given
that useful information from multiple sites must be made available on a
timely basis. (And as detection capabilities improve, adversaries will take
steps to mask such signs of coordinated efforts.)
An assessment addresses many factors, including the scale of the hos-
tile cyber operation (how many entities are being targeted), the nature of
the targets (which entities are being targeted), the success of the operation

and nature of any foreign involvement derived from technical analysis of

-
cally derived from the operation itself, and attribution of the operation

of “something bad going on in cyberspace.” Assessments are further com-

plicated by the possibility that an initial penetration is simply paving the
way for hostile payloads that will be delivered later, or by the possibility
that the damage done by an adversarial operation will not be visible for
a long time after it has taken place.
The government agencies responsible for threat assessment and warn-
ing can, in principle, draw on a wide range of information sources, both
inside and outside the government. In addition to hearing from private-

communicate with security IT vendors, such as Symantec and McAfee,

that monitor the Internet for signs of hostile activity. Other public inter-
est groups, such as the OpenNet Initiative and the Information Warfare
Monitor, seek to monitor hostile operations launched on the Internet.4

4 See the OpenNet Initiative (http://opennet.net/) and the Information Warfare Moni-
tor (http://www.infowar-monitor.net/) Web sites for more information on these groups.
A useful press report on the activities of these groups can be found at Kim Hart, “A
New Breed of Hackers Tracks Online Acts of War,” Washington Post, August 27, 2008,
available at http://www.washingtonpost.com/wp-dyn/content/article/2008/08/26/
AR2008082603128_pf.html.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

ENHANCING CYBERSECURITY 57

4.1.3 Defending a System or Network

Defending a system or network means taking actions so that a hostile
actor is less successful than he or she would otherwise be in the absence
of defensive actions. A desirable side effect of taking such measures is that
by reducing the likelihood that a hostile actor will succeed, that actor may
also be deterred from taking hostile action because of its possible futility.
Some of the most important approaches to defense include:

• Reducing the number of vulnerabilities contained in any deployed IT

system or network. There are two methods for doing so.

known as “patching”). Much software has the capability to update

itself, and many updates received automatically by a system con-
tain patches that repair vulnerabilities that have become known
since the software was released for general use.
— Design and implement software so that it has fewer vulnerabili-
ties from the start. Software designers know many principles about
how to design and build IT systems and networks more securely
-

security features are feasible—implementing such features in hard-

ware is often more secure than implementing them in software,
-
parable software implementations.
• Eliminating or blocking known but unnecessary access paths. Many IT
systems or networks have a variety of ways to access them that are unnec-
essary for their effective use. Security-conscious system administrators
often disconnect unneeded wireless connections and wired jacks; disable
USB ports; change system access controls to quickly remove departing
employees or to restrict the access privileges available to individual users
-

the Internet is a particular instance of eliminating an access path.

• “Whitelisting” software. Vendors of major operating systems provide
the option of (and sometimes require) restricting the programs that can be

approach is the “app store” approach to software development by third

parties for mobile devices. In principle, whitelisting requires that the code
of an application be cryptographically signed by its author using a public
-

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

58 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

BOX 4.1 On Attribution

Attribution is the process through which an adversarial cyber operation is

associated with its perpetrator. In this context, the definition of “perpetrator” can
have many meanings:
• The computer from which the adversarial cyber operation reached the
target. Note that this computer—the one most proximate to the target—may well
belong to an innocent third party that has no knowledge of the operation being
conducted.
• The computer that launched or initiated the operation.
• The geographic location of the machine that launched or initiated the
operation.
• The individual sitting at the keyboard of the initiating machine.
• The nation under whose jurisdiction the named individual falls (e.g., by
virtue of his physical location when he typed the initiating commands).
• The entity under whose auspices the individual acted, if any.
One can thus imagine a hostile operation that is launched under the auspices
of Elbonia, by a Ruritanian citizen sitting in a Darkistanian computer laboratory,
that penetrates computers in Agraria as intermediate nodes in an attack on com-
puters in Latkovia.
In general, “attribution” of a hostile cyber operation could refer to an identifica-
tion of any of three entities:
• A computer or computers (called C) that may be involved in the operation.
The identity of C may be specified as a machine serial number, a MAC address,
or an Internet Protocol (IP) address.1
• The human being(s) (H) involved in the operation, especially the human
being who initiates the hostile operation (e.g., at the keyboard). The identity of H
may be specified as his or her name, pseudonym, or identification card number,
for example.
• The party (P) ultimately responsible for the actions of the involved hu-
mans. The identity of P may be the name of another individual, the name of an
organization, or the name of a country, for example. If H is a “lone wolf,” P and H
are probably the same.
Note that knowing the identity of C does not necessarily identify H, and know-
ing the identity of H does not necessarily identify P.
The distinctions between C, H, and P are important because the appropriate
meaning of attribution depends on the reason that attribution is necessary.
• If the goal is to mitigate the negative effects of a hostile cyber operation
as soon as possible, it is necessary to shut down the computers involved in the
operation, a task that depends on affecting the computers more than on affecting
their operators or their masters. The identity of C is important.
• If the goal is to prosecute or take the responsible humans into custody,
the names of these human beings are important. The identity of H is important.
• If the goal is to deter future hostile acts, and recognizing that deterrence
involves imposing a cost on the party that would otherwise choose to launch a
future hostile act, the identity of P is important.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

ENHANCING CYBERSECURITY 59

When the identities of H or P are desired, judgments of attribution are based

on all available sources of information, which could include technical signatures
and forensics collected regarding the act in question, communications information
(e.g., intercepted phone calls monitoring conversations of individuals or their lead-
ers), prior history (e.g., similarity to previous hostile operations), and knowledge of
those with incentives to conduct such operations.
The fact that such a diversity of sources is necessary for identifying humans
underscores a fundamental point—assignment of responsibility for an adversarial
cyber operation is an act that is influenced although not uniquely determined by the
technical information associated with the operation itself. Nontechnical evidence
can often play an important role in determining responsibility, and ultimately, human
judgment is an essential element of any attempt at attribution.
It is commonly said that attribution of an adversarial cyber operation is im-
possible. The statement does have an essential kernel of truth: if the perpetrator
makes no mistakes, uses techniques that have never been seen before, leaves
behind no clues that point to himself, does not discuss the operation in any public
or monitored forum, and does not conduct his actions during a period in which his
incentives to conduct such operations are known publicly, then identification of the
perpetrator may well be impossible.
Indeed, sometimes all of these conditions are met, and policy makers rightly
despair of their ability to act appropriately under such circumstances. But in other
cases, the problem of attribution is not so dire, because one or more of these
conditions are not met, and it may be possible to make some useful (if incomplete)
judgments about attribution. For example, a cyber intruder may leave his IP ad-
dress exposed (perhaps because he forgot to use an anonymizing service to hide
it). That IP address may be the key piece of information that is necessary to track
the intruder’s location and eventually to arrest the individual involved.2
Perhaps the more important point is that prompt attribution of any given
adversarial cyber operation is much more difficult than eventual or delayed attribu-
tion. It takes time—days, weeks, perhaps months—to assemble forensic evidence
and to compare it to evidence of previous operations, to query nontechnical intel-
ligence sources, and so on. In a national security context, policy makers faced with
responding to a hostile cyber operation naturally feel pressure to respond quickly,
but sometimes such pressures have more political than operational significance.
Last, because attribution to any actor beyond a machine involves human
judgments, actors that are accused of being responsible for bad actions in cyber-
space can always assert their innocence and point to the sinister motives of the
parties making human judgments, regardless of whether those judgments are
well founded. Such denials have some plausibility, especially in an environment in
which there are no accepted standards for making judgments related to attribution.

1 A MAC address (MAC is an acronym for media access control) is a unique number as-

sociated with a physical network adapter, specified by the manufacturer and hard-coded into
the adapter hardware. An IP address (Internet Protocol address) is a number assigned by the
operator of a network using the Internet Protocol to a device (e.g., a computer) attached to
that network; the operator may, or may not, use a configuration protocol that assigns a new
number every time the device appears on the network.
2 See Gerry Smith, “FBI Agent: We’ve Dismantled the Leaders of Anonymous,” The

Huffington Post, August 21, 2013, available at http://www.huffingtonpost.com/2013/08/21/

anonymous-arrests-fbi_n_3780980.html.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

60 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

BOX 4.2 The Saltzer-Schroeder Principles of

Secure System Design and Development

Saltzer and Schroeder articulate eight design principles that can guide sys-
tem design and contribute to an implementation without security flaws:

• Economy of mechanism: The design should be kept as simple and small

as possible. Design and implementation errors that result in unwanted access
paths will not be noticed during normal use (since normal use usually does not
include attempts to exercise improper access paths). As a result, techniques such
as line-by-line inspection of software and physical examination of hardware that
implements protection mechanisms are necessary. For such techniques to be suc-
cessful, a small and simple design is essential.
• Fail-safe defaults: Access decisions should be based on permission rather
than exclusion. The default situation is lack of access, and the protection scheme
identifies conditions under which access is permitted. The alternative, in which
mechanisms attempt to identify conditions under which access should be refused,
presents the wrong psychological base for secure system design. This principle
applies both to the outward appearance of the protection mechanism and to its
underlying implementation.
• Complete mediation: Every access to every object must be checked for
authority. This principle, when systematically applied, is the primary underpinning
of the protection system. It forces a system-wide view of access control, which,
in addition to normal operation, includes initialization, recovery, shutdown, and
maintenance. It implies that a foolproof method of identifying the source of every
request must be devised. It also requires that proposals to gain performance by
remembering the result of an authority check be examined skeptically. If a change
in authority occurs, such remembered results must be systematically updated.
• Open design: The design should not be secret. The protection mecha-
nisms should not depend on the ignorance of potential attackers, but rather on the
possession of specific, more easily protected keys or passwords. This decoupling
of protection mechanisms from protection keys permits the mechanisms to be
examined by many reviewers without concern that the review may itself compro-
mise the safeguards. In addition, any skeptical users may be allowed to convince

5
If the app store
does whitelisting consistently and rigorously (and app stores do vary sig-

cannot run programs that have not been properly signed. Another issue
for whitelisting is who establishes any given whitelist—the user (who

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

ENHANCING CYBERSECURITY 61

themselves that the system they are about to use is adequate for their individual
purposes. Finally, it is simply not realistic to attempt to maintain secrecy for any
system that receives wide distribution.
• Separation of privilege: Where feasible, a protection mechanism that re-
quires two keys to unlock it is more robust and flexible than one that allows access
to the presenter of only a single key. The reason for this greater robustness and
flexibility is that, once the mechanism is locked, the two keys can be physically
separated, and distinct programs, organizations, or individuals can be made re-
sponsible for them. From then on, no single accident, deception, or breach of trust
is sufficient to compromise the protected information.
• Least privilege: Every program and every user of the system should oper-
ate using the least set of privileges necessary to complete the job. This principle
reduces the number of potential interactions among privileged programs to the
minimum for correct operation, so that unintentional, unwanted, or improper uses
of privilege are less likely to occur. Thus, if a question arises related to the possible
misuse of a privilege, the number of programs that must be audited is minimized.
• Least common mechanism: The amount of mechanism common to more
than one user and depended on by all users should be minimized. Every shared
mechanism (especially one involving shared variables) represents a potential infor-
mation path between users and must be designed with great care to ensure that it
does not unintentionally compromise security. Further, any mechanism serving all
users must be certified to the satisfaction of every user, a job presumably harder
than satisfying only one or a few users.
• Psychological acceptability: It is essential that the human interface be
designed for ease of use, so that users routinely and automatically apply the pro-
tection mechanisms correctly. More generally, the use of protection mechanisms
should not impose burdens on users that might lead users to avoid or circumvent
them—when possible, the use of such mechanisms should confer a benefit that
makes users want to use them. Thus, if the protection mechanisms make the
system slower or cause the user to do more work—even if that extra work is
“easy”—they are arguably flawed.

SOURCE: Adapted from J.H. Saltzer and M.D. Schroeder, “The Protection of Information in
Computer Systems,” Proceedings of the IEEE 63(9):1278-1308, September 1975.

(who may not be willing or able to provide the full range of applications
desired by the user or may accept software too uncritically for inclusion
on the whitelist).

These approaches to defense are well known, and are often imple-
mented to a certain degree in many situations. But in general, these
approaches have not been adopted as fully as they could be, leaving sys-
tems more vulnerable than they would otherwise be. If the approaches

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

62 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

Several factors account for this phenomenon:

• . In many cases,
closing down access paths and introducing cybersecurity to a system’s
design slows it down or makes it harder to use. Restricting access privi-
leges to users often has serious usability implications and makes it harder

needs higher access privileges temporarily but on a time-urgent basis.

Implementing the checking, monitoring, and recovery needed for secure
operation requires a lot of computation and does not come for free. User
demands for backward compatibility at the applications level often call
for building into new systems some of the same security vulnerabilities
present in the old systems. Program features that enable adversary access
can be turned off, but doing so may disable functionality needed or
desired by users.
• The mismatch between these approaches to defense and real-world soft-
ware development environments

such an environment, it makes very little sense to invest up front in the

approaches to defense outlined above unless such adherence is relatively

• . With large systems in place,

upgrade all parts of the system at once. This means that for practical

technology environment in which the parts that have not been replaced
are likely still vulnerable, and their interconnection to the parts that have
been replaced may make even the new components vulnerable.

4.1.4 Ensuring Accountability

Accountability is the ability to unambiguously associate a conse-
-
cation refers to a process that ensures that an asserted identity is indeed
properly associated with the asserting party. Access control is the tech-
nical mechanism by which certain system privileges but not others are
-
nical means by which the activity of an intruder can be reconstructed; in
many cases, the intruder leaves behind evidence that provides clues to
his or her identity.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

ENHANCING CYBERSECURITY 63

Individual Authentication and Access Control

For purposes of this report, authentication usually refers to the pro-

-
ment agency.
As applied to individuals, authentication serves two purposes:

• Ensuring that only authorized parties can perform certain actions. In

privileges and no others. Because certain users have privileges that others

• Facilitating accountability, which is the ability to associate a conse-

quence with a past improper action of an individual. Thus, the authentica-
tion process must unambiguously identify one and only one individual
who will be held accountable for improper actions. (This is the reason that
credentials should not be shared among individuals.) To avoid account-
ability, an individual may seek to defeat an authentication process.

In general, the authentication process depends on one or more of

three factors: something you know, something you have, or something
you are.

• Something you know, such as a password. Passwords have many

hardware or training. Passwords can be distributed, maintained, and

guessing and to theft.6 Passwords are easily shared, either intentionally

lost (forgotten) passwords. Because people often reuse the same name
and password combinations across different systems to ease the burden

(in order of frequency) “123456,” “password,” and “12345678.” See Impact Lab, “The Top
50 Gawker Media Passwords,” December 14, 2010, available at http://www.impactlab.
net/2010/12/14/the-top-50-gawker-media-passwords/.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

64 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

on their memories, a successful password attack on a user on one site

increases the likelihood that accounts of the same user on other sites can
be hacked.
• Something you have, such as a cell phone. If a user is locked out of
his account because of a forgotten password, a password recovery system

code that can be used to reset the password. Although anyone can request

on which the activation code is received. Of course, this approach pre-

sumes that I have—in advance—told the system my cell phone number
at the time of account setup; that is the primary way that the system can

• Something you are

(often called biometrics) is the automatic recognition of human individu-
als on the basis of behavioral and physiological characteristics. Biometrics
have the obvious advantage of authenticating the human, not just the
presented token or password. Common biometrics in use today verify
-
ous disadvantage of biometric credentials is that they can be forged or
stolen,7
credential cannot be changed). Other downsides to biometrics include the
fact that not all people can use all systems, making a backup authentica-
tion method necessary (and consequently increasing vulnerability), and
the fact that remote enrollment of a biometric measure (sending one’s

purpose and is easily compromised.

These factors can be combined to provide greater authentication secu-

-

read by a computer. This approach would provide two-factor authentica-

one to enable access.

All authentication mechanisms are susceptible to compromise to
varying degrees in two ways. One is technical—use of a gummy bear to

-
metrics Firms,” The Register, May 16, 2002, http://www.theregister.co.uk/ 2002/05/16/

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

ENHANCING CYBERSECURITY 65

-
ing action on behalf of someone without those privileges.

Organizational Authentication

On the Internet today, I would likely rely on the assurances of a trusted

BOX 4.3 Certificate Authorities

Cryptography refers to a set of techniques that can be used to scramble

information so that only certain parties—parties with the decryption key—can
recover the original information. To scramble the original information, the sender
of the information uses an encryption key.
In symmetric cryptography (or equivalently, secret-key cryptography), the en-
cryption key is the same as the decryption key; thus, message privacy depends on
the key being kept secret. In asymmetric (or, equivalently, public-key) cryptographic
systems, the encryption key is different from the decryption key. Message privacy
depends only on the decryption key being kept secret. The encryption key can
even be published and disseminated widely, so that anyone can encrypt messages.
Certificate authorities are used to facilitate public-key cryptography systems
that enable secure communications among a large number of parties who do not
know each other and who have not made prior arrangements for communicating.
For Alice to send a secure message to Bob, Alice needs to know Bob’s encryption
key. Alice looks up in a published directory Bob’s encryption key (which happens to
be 2375959), and then sends an encrypted message to Bob. Only Bob can decrypt
it, because only Bob knows the correct decryption key. But how is Alice to know
that the number 2375959 does in fact belong to Bob—in other words, how does
Alice know that the published directory is trustworthy?
The answer is that a trusted certificate authority stands behind the association
between a given encryption key and the party to which it belongs. Certificate au-
thorities play the role of trusted third parties—trusted by both sender and receiver
to associate and publish public keys and names of potential message recipients.
Certificate authorities can exist within a single organization, across multiple
related organizations, or across society in general. Any number of certificate au-
thorities can coexist, and they may or may not have agreements for cross-certi-
fication, whereby if one authority certifies a given person, then another authority
will accept that certification within its own structure.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

66 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

Given the role of the CA, its compromise is a dangerous event that can
-

and some have even gone rogue on their own. The security of the Inter-
net is under stress today in part because the number of trusted but not
trustworthy CAs is growing. Thus, CAs must do what they can to ensure

is compromised.
-

check its status to see if it has been revoked. Few users are so diligent—
they rely on software to perform such checks. Sometimes the software
fails to perform a check, leaving the user with a false sense of security.

revoked and asks the user if he or she wants to proceed. Faced with this
question, the user often proceeds.
Furthermore, there is an inherent tension between authentication
and privacy, because the act of authentication involves some disclosure

attribute for use within an authentication system, creating transactional

records, and revealing information used in authentication to others
with unrelated interests all have implications for privacy and other civil
liberties.

Stronger Authentication for the Internet

As discussed in Chapter 2, digital information is inherently anony-

a given party with any given piece of information. The Internet is a means
for transporting information from one computer to another, but today’s
Internet protocols do not require a validated identity to be associated with
the packets that are sent.
Nevertheless, nearly all users of the Internet obtain service through
an Internet service provider, and the ISP usually does have—for billing
purposes—information about the party sending or receiving any given
packet. In other words, access to the Internet usually requires some kind
of authentication of identity, but the architecture of the Internet does not
require that identity to be carried with sent packets all the way to the

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

ENHANCING CYBERSECURITY 67

intended recipient. (As an important aside, an ISP knows only who pays
a bill for Internet service, and one bill may well cover Internet access for
multiple users. However, the paying entity may itself have accounting
systems in place to differentiate among these multiple users.)
In the name of greater security, proposals have been made for a
“strongly authenticated” Internet as a solution to the problem of attri-

responsible for a cyber incident. If cyber incidents effectuated through

could be established and penalties meted out for illegal, improper, or

to improve attribution capabilities.

services provided at the packet level of the Internet, as described in

Chapter 2. Alternatively, strong authentication could be a service imple-
mented at the applications level, in which case authentication would be
the responsibility of individual applications developers that would then
design such services as needed for the particular application in question.
Although the availability of a strongly authenticated Internet would
certainly improve the security environment over that of today, it is not
a panacea. Perhaps most important, users of a strongly authenticated
Internet would be high-priority targets themselves. Once they were com-
promised (likely through social engineering), their credentials could then
be used to gain access to the resources on the strongly authenticated Inter-
net. The intruder could then use these resources to launch further hostile
operations against the true target, masking his true identity.
In addition, strong authentication, especially if implemented at the
packet level, raises a number of civil liberties concerns, as described in
Chapter 5.

Forensics

and science of obtaining useful evidence from an ostensibly hostile cyber

event. Cyber forensics are intended to provide information about what an
-

forensics are necessary because, among other things, intruders often seek
to cover their tracks.
-
tal information carries with it no physical signature that can be associated
-
nature on a document says something about the computer that signed the

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

68 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

document using a private and secret cryptographic key, it does not neces-
sarily follow that the individual associated with that key signed the docu-
ment. Because the key is a long string of digits, it is almost certainly stored
in machine-readable form, and the association of the individual with the
signed document requires a demonstration that no one else could have

true in practice—that the owner of a Wi-Fi router has willfully allowed

for information that the perpetrator of a hostile action may have tried to
delete or did not know was recorded, audits of system logs for reconstruc-
tions of a perpetrator’s system accesses and activities, statistical and his-

further review and investigation. Conducted in real time, an audit could

send a warning to system administrators of wrongdoing in progress.
Precisely what must be done in any cyber forensic investigation
depends on its purpose. One purpose, of course, is to obtain evidence
that may be usable in court for a criminal prosecution of the perpetrator.
In this event, forensic investigation also involves maintaining a chain of
custody over the evidence at every step, an aspect of the investigation
that is likely to slow down the investigation. But businesses may need
to conduct a forensic investigation to detect employee wrongdoing or to
protect intellectual property. For this purpose, the evidentiary require-
ments of forensic investigation may be less stringent and the investigation
shorter, a fact that might allow statistical likelihood, indirect evidence,
and hearsay to fall within the scope of non-evidentiary forensics; the

instrumentation of embedded systems to handling massive data volume

and network monitoring, and they require a similar foundation to deal

relevant to civil proceedings, both because the standards of proof there are
lower and because the use of digital forensics in business activities may
also be the subject of litigation.
Also, the forensic investigator must proceed differently in an after-
the-fact investigation than in a real-time investigation. Law enforcement
authorities are often oriented toward after-the-fact forensics, which help
-
vention or mitigation of damage is the goal of law enforcement authorities

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

ENHANCING CYBERSECURITY 69

or business operators, real-time or near-real-time forensics may be more

valuable.
When cyber forensics are performed on IT systems and networks
within the victim’s legitimate span of control, the legal and policy issues
are few. Such issues become much more complicated if it is necessary to
perform cyber forensics on IT systems and networks outside the victim’s

hostile operation from the computer belonging to an innocent third party

that has no relationship to either adversary or victim, conducting foren-
sics on that computer without the third party’s knowledge or permission
raises a number of legal and policy problems.

4.1.5 Building a Capacity for Containment, Recovery, and Resilience

Acknowledging that defenses are likely to be breached, one can also
seek to contain the damage that a breach might cause and/or to recover
from the damage that was caused.

Containment
Containment refers to the process of limiting the effects of a hostile
-
ing environment designed to be disposable—corruption or compromise
in this environment does not matter much to the user, and the intruder
is unlikely to gain much in the way of additional resources or privileges.

and the “real” computing environment in which serious business can be

for safe interaction between the buffer and the “real” environment, and
in an imperfectly designed disposable environment, unsafe actions can

provide some level of protection against the dangers of running untrusted

programs.
-
puting environments. In agriculture, monocultures are known to be

of millions of identically programmed computers is systematically vulner-

those computers are attached to the Internet—a hostile operation that is

successful against one of these computers will be successful against all
of them, and malware can propagate rapidly in such an environment. If
these computers are programmed differently (while still providing the

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

70 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

same functionality to the user), the techniques used in a hostile operation

against a particular programming base may well be unsuccessful against
a different code base, and thus not all of the computers in the population
will be vulnerable to those techniques. However, it is generally more

environment, and interoperability among the systems in the population

Recovery
In general, recovery-oriented approaches accomplish repair by restor-
ing a system to its state at an earlier point in time. If that point in time
is too recent, then the restoration will include the damage to the system
caused by the attack. If that point in time is too far back, an unacceptable

A recovery-oriented approach is not particularly useful in any envi-

ronment in which the attack causes effects on physical systems—if an
-
puter systems attacked will restore that generator to working order. (But
the operator still needs to restore the computer so that the replacement
generator won’t be similarly damaged.)
In large systems or services, reverting to a known system state before
the security breach may well be infeasible. Under such circumstances, a
more practical goal is to restore normal system capacity/functionality
with as little loss of operating data as possible.

Resilience
A resilient system is one whose performance degrades gradually
rather than catastrophically when its other defensive mechanisms are
-
form some of its intended functions, although perhaps more slowly or for
fewer people or with fewer applications.
Redundancy is one way to provide a measure of resilience. For

account for the loss of intermediate nodes—that is, to provide redundant

A second approach to achieving resilience is to design a system or

network without a single point of failure—that is, it should be impossible
to cause the system or network to cease functioning entirely by crippling
or disabling any one component of the system. Unfortunately, discover-

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

ENHANCING CYBERSECURITY 71

redundancy for certain systems is simply to replicate the system and run

4.1.6 Employing Active Defense

The limitations of the measures described above to protect important
information technology assets and the information they contain are well
known. Many measures (e.g., repair of system vulnerabilities) can be

is, systems and networks that it has the legal right to access, monitor, and
modify. These also may reduce important functionality in the systems

to use. They are also reactive—they are invoked or become operational

(or is occurring).

option for responding to the cyber threat, the Department of Defense

issued in 2011 its Department of Defense Strategy for Operating in Cyberspace,
which states that the United States will employ “an active cyber defense
-

The DOD does not describe active cyber defense in any detail, but
the formulation above for “active cyber defense” could, if read broadly,

non-cooperative measure affecting or harming an attacker’s IT systems

and networks, any proactive measure, or any retaliatory measure, as long
as such action was taken for the purpose of defending DOD systems or
networks from that attacker.
The sections below describe some of the components that a strategy
of active cyber defense might logically entail.

Cyber Deception for Defensive Purposes

8 See U.S. Department of Defense, Department of Defense Strategy for Operating in

Cyberspace

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

72 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

looks like the real thing may be misled into taking action harmful to his
own interests, and at the very least has been forced to waste time, effort,
and resources in obtaining useless information.
The term “honeypot” in computer security jargon refers to a machine,
a virtual machine, or other network resource that is intended to act as a
decoy or diversion for would-be intruders. Honeypots intentionally con-

production systems. Indeed, in most cases, systems administrators want

intruders to succeed in compromising or breaching the security of honey-

the techniques and methods used by the intruder. This process allows
administrators to be better prepared for hostile operations against their
real production systems. Honeypots are very useful for gathering infor-
mation about new types of operation, new techniques, and information
on how things like worms or malicious code propagate through systems,
and they are used as much by security researchers as by network security
administrators.
When the effects of a honeypot are limited in scope to the victim’s sys-
tems and networks, the legal and policy issues are relatively limited. But if
they have effects on the intruder’s systems, both the legal and the policy

its own offensive operations on B’s systems in certain ways.

-
con” that sends an e-mail to A to report on the environment in which it

B’s systems in the future. All of these actions raise legal and policy issues
regarding their propriety.

Disruption
Disruption is intended to reduce the damage being caused by an
adversarial cyber operation in progress, usually by affecting the operation
of the computer systems being used to conduct the operation.
-
abling the computers that control a botnet. Of course, this approach pre-

is used, such knowledge is unlikely. But over time, patterns of behavior

might suggest the identity of those computers and an access path to them.
Thus, disruption would be easier to accomplish after repeated attacks.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

ENHANCING CYBERSECURITY 73

Under most circumstances, disabling the computers controlling an

adversarial operation runs a risk of violating domestic U.S. law such as
the Computer Fraud and Abuse Act. However, armed with court orders,
information technology vendors and law enforcement authorities have
worked together in a number of instances to disrupt the operation of

those botnets.

9
In addition, they
provided information about the botnets to computer emergency response
teams (CERTs) located abroad, requesting that they target related com-
mand-and-control infrastructure. At the same time, the FBI provided
related information to its overseas law enforcement counterparts.

Preemption
Preemption—sometimes also known as anticipatory self-defense—is

conduct a hostile cyber action against a victim. The idea of preemption

national security.10
Preemption as a defensive strategy is a controversial subject, and the
-
tial. 11

preemption. When the number of possible cyber adversaries is almost

limitless, how would a country know who was about to launch such an

and other intelligence sources would seem to be a quite daunting task

6, 2013, available at http://www.informationweek.com/attacks/microsoft-fbi-trumpet-

10 Mike McConnell, “How to Win the Cyber War We’re Losing,” Washington Post,
February 28, 2010, available at http://www.washingtonpost.com/wp-dyn/content/article/
2010/02/25/AR2010022502493.html.
11 Herbert Lin, “A Virtual Necessity: Some Modest Steps Toward Greater Cybersecurity,”

Bulletin of the Atomic Scientists, September 1, 2012, available at http://www.thebulletin.

org/2012/september/virtual-necessity-some-modest-steps-toward-greater-cybersecurity.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

74 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

and yet necessary in an environment in which threats can originate from

nearly anywhere.

the adversary take nearly all of the measures and make all of the prepa-
rations needed to carry out that action. The potential victim considering
preemption must thus be able to target the adversary’s cyber assets that
would be used to launch a hostile operation. But the assets needed to

(or made entirely invisible)—reducing the likelihood that a serious dam-

age-limiting preemption could be conducted.

BOX 4.4 A Brief Case Study—

Securing the Internet Against Routing Attacks

The task of securing the routing protocols of the Internet makes a good case
study of the nontechnical complexities that can emerge in what might have been
thought of as a purely technical problem.
As noted in Chapter 2, the Internet is a network of networks. Each network
acts as an autonomous system under a common administration and with common
routing policies. BGP is the Internet protocol used to characterize every network
to each other, and in particular to every network operated by an Internet service
provider (ISP).
In general, the characterization is provided by the ISP responsible for the
network, and in part the characterization specifies how that ISP would route traffic
to a given destination. A problem arises if and when a malicious ISP in some part
of the Internet falsely asserts that it is the right path to a given destination (i.e., it
asserts that it would forward traffic to a destination but in fact would not). Traffic sent
to that destination can be discarded, causing that destination to appear to be off
the net. Further, the malicious ISP might be able to mimic the expected behavior
of the correct destination, fooling unsuspecting users into thinking that their traffic
has been delivered properly and thus causing further damage.
The technical proposal to mitigate this problem was to have the owner of each
region of Internet addresses digitally sign an assertion to the effect that it is the
rightful owner (which would be done using cryptographic mechanisms), and then
delegate this assertion to the ISP that actually provides access to the addresses,
which in turn would validate it by a further signature, and so on as the assertion
crossed the Internet. A suspicious ISP trying to decide if a routing assertion is valid
could check this series of signed assertions to validate it.
This scheme has a bit of overhead, which is one objection, but it also has an-
other problem—how can a suspicious ISP know that the signed assertion is valid?

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

ENHANCING CYBERSECURITY 75

4.2 NONTECHNOLOGICAL DIMENSIONS OF CYBERSECURITY

An important lesson that is often lost amidst discussions of cyber-
security is that cybersecurity is not only about technology to make us
more secure in cyberspace. Indeed, technology is only one aspect of such
security, and is arguably not even the most important aspect of security.

section discusses a number of the most important nontechnological fac-

tors that affect cybersecurity.

It has been signed using some cryptographic key, but the suspicious ISP must
know who owns that key. To this end, it is necessary to have a global key distribu-
tion and validation scheme, which is called a public-key infrastructure, or PKI. The
original proposal was that there would be a “root of trust,” an actor that everyone
trusted, who would sign a set of assertions about the identities of lower-level enti-
ties, and so on until there was a chain of correctness-confirming assertions that
linked the assertions of each owner of an address block back to this root of trust.
This idea proved unacceptable for the reason, perhaps obvious to nontechni-
cal people, that there is no actor that everyone—every nation, every corporation,
and so on—is willing to trust. If there were such an actor, and if it were to suddenly
refuse to validate the identity of some lower-level actor, that lower-level actor would
be essentially removed from the Internet. The alternative approach was to have
many roots of trust—perhaps each country would be the root of trust for actors
within its borders. But this approach, too, is hard to make work in practice—for
example, what if a malicious country signs some assertion that an ISP within its
border is the best means to reach some range of addresses? How can someone
know that this particular root of trust did not in fact have the authority to make as-
sertions about this part of the address space? Somehow one must cross-link the
various roots of trust, and the resulting complexity may be too hard to manage.
Schemes that have been proposed to secure the global routing mechanisms
of the Internet differ with respect to the overhead, the range of threats to which
they are resistant, and so on. But the major problem that all these schemes come
up against is the nontechnical problem of building a scheme that can successfully
stabilize a global system built out of regions that simply do not trust each other.
And of course routing is only part of making a secure and resilient Internet. An
ISP that is malicious can make correct routing assertions and then just drop or
otherwise disrupt the packets as they are forwarded. The resolution of these sorts
of dilemmas seems to depend on an understanding of how to manage trust, not
on technical mechanisms for signing identity assertions.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

76 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

4.2.1 Economics12
Many problems of cybersecurity can be understood better from an

-
tory frameworks, and tragedy of the commons. Taken together, economic
-
tions, cybersecurity is and will be a hard problem to address.
Many actors make decisions that affect cybersecurity: technology
-
ment, the intelligence community, and governments (both as technology
users and as guardians of the larger social good). Each of these actors gets
plenty of blame for being the “problem”: if technology vendors would just
properly engineer their products, if end users would just use the technol-
ogy available to them and learn and practice safe behavior, if companies
would just invest more in cybersecurity or take it more seriously, if law
enforcement would just pursue the bad guys more aggressively, if policy
makers would just do a better job of regulation or legislation, and so on.
There is some truth to such assertions, and yet it is important to
understand the incentives for these actors to behave as they do. For

-
ity, time, and cost in design and testing while being hard to value or even
assess by customers.
-
als do sometimes (perhaps even often) take cybersecurity into account.
But these parties have strong incentives to take only those cybersecurity
measures that are valuable for addressing their own cybersecurity needs,

much of the payoff from security investments may be captured by society

-
promise intermediary M’s computer facilities in order to attack V. This
convoluted routing is done so that V will have a harder time tracing the

12 For an overview of the economic issues underlying cybersecurity, see Tyler Moore,
“Introducing the Economics of Cybersecurity: Principles and Policy Options,” in National
Research Council, Proceedings of a Workshop on Deterring Cyberattacks: Informing Strategies
and Developing Options for U.S. Policy, pp. 3-24, The National Academies Press, Washington
D.C., 2010. An older but still very useful paper is Ross Anderson, “Why Information Security
Is Hard—An Economic Perspective,” Proceedings of the 17th Annual Computer Security
Applications Conference, IEEE Computer Society, New Orleans, La., 2001, pp. 358-365.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

ENHANCING CYBERSECURITY 77

attack back to A. However, the compromise on M’s computers will usu-

ally not damage them very much, and indeed M may not even notice
that its computers have been compromised. Investments made by M to

have economic roots.

Is the national cybersecurity posture resulting from the investment
-

of this question yields “no” for an answer—whereas many in the private

sector say “yes.” This disagreement is at the heart of many disputes about
what the nation can and should do about cybersecurity policy.

4.2.2 Psychology
A wide variety of psychological factors and issues are relevant to
cybersecurity.

Social Engineering

by breaking in or using technical hacking techniques.”13

engineer might try to trick an employee into divulging his password by

posing as an IT support person.
Social engineering is possible because the human beings who install,

through deception and trickery. Spies working for an intruder may be

unknowingly hired by the victim, and more importantly and commonly,
users can be deceived into actions that compromise security. No malware
operates by informing a human user that “running this program or open-

human into running a program with that effect.

Many instances involving the compromise of users or operators

initiative of the intruder (often posing as someone known to the victim),

13

http://www.csoonline.com/article/514063/social-engineering-the-basics.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

78 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

of the latter include links to appealing Web pages and or downloadable

Another channel for social engineering is the service providers on

also obtain cybersecurity services from third parties, such as a security

software vendor that might be bribed or otherwise persuaded to ignore
a particular virus. Service providers are potential security vulnerabilities,
and thus might well be intermediate targets in an offensive operation
directed at the true (ultimate) target.

Decision Making Under Uncertainty

Decision making under conditions of high uncertainty will almost

conditions of high uncertainty, crisis decision-making processes are often

14

-
sion-making process, Stein points to uncertainty about realities on the

suboptimal outcomes because the actors involved do not have or under-

stand all of the relevant information about the situation. Uncertainties

assessment), the intentions of the various actors (e.g., defensive actions by

A are seen as provocative by B, inadvertent actions by A are seen as delib-
erate by B), the bureaucratic interests pushing decision makers in certain
directions (e.g., cyber warriors pushing for operational use of cyber tools),

-
ing, Stein points out that because the information-processing capability of
people is limited, they are forced in confusing situations to use a variety

uncertainty, handle information, make inferences, and generate threat

perceptions.”15

14 The Oxford
Handbook of Political Psychology

15 Stein, “Threat Perception in International Relations,” 2013.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

ENHANCING CYBERSECURITY 79

• Interpret ambiguous information in terms of what is most easily

available in their cognitive repertoire (availability). Thus, if a cyber disas-
ter (real or hypothetical) is easily recalled, ambiguous information about
cyber events will seem to point to a cyber disaster.
•

estimates of frequency (representativeness). Thus, if the available infor-

mation on a cyber event seems to point to its being a hostile action taken
by a nation-state, it will be interpreted that way even if that nation-state
has taken few such actions in the past.
• Estimate magnitude or degree by comparing it with an “available”
initial value (often an inaccurate one) as a reference point and making a
comparison (anchoring).
• Attribute the behavior of adversaries in terms of their disposition
and animus but attribute their own behavior to situational factors. That
is, “they” take certain actions because they want to challenge us, but “we”
take the same actions because circumstances demanded that we do so.

Education for Security Awareness and Behavior

Users are a key component of any information technology system
in use, and inappropriate or unsafe user behavior on such a system can
easily lead to reduced security. Security education has two essential com-
ponents: security awareness and security-responsible behavior.

• Security awareness refers to user consciousness of the reality and

motivates users to adopt safeguards that reduce the likelihood of security

compromises and/or the effect of such compromises when they do occur.
• Security-responsible behavior refers to what users should and
should not do from a security standpoint once they are motivated to take
action.

To promote security awareness, various reports have sought to make

the public aware of the importance of cybersecurity. In general, these
reports point to the sophistication of the cybersecurity threat, the scale of
the costs to society as a whole resulting from threats to cybersecurity, and
the urgency of “doing something” about the threat. But it is also likely
that such reports do not motivate individual users to take cybersecurity

that could entail substantial personal costs to them.

As for security-responsible behavior, most children do receive some

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

80 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

when confronted with suspicious situations, and so on. But a comparable

effort to educate children about some of the basic elements of cybersecu-

To illustrate some of what might be included in education for secu-

rity-responsible behavior, a course taught at the University of Washington
in 2006, intended to provide a broad education in the fundamentals of
information technology for lay people, set forth the following objectives
for its unit on cybersecurity:16

• Learn to create strong passwords.

•
• Use Windows Update to keep your system up to date.
• Update McAfee VirusScan so that you can detect viruses.
• Use Windows Defender to locate and remove spyware.

Convenience and Ease of Use

-
als to manage effectively or to use conveniently. Security is hard for users,
administrators, and developers to understand, making it all too easy to

Moreover, security and privacy technologies originally were developed

-
ity for security and privacy protections and in which the users tended
to be sophisticated. Today, the user base is much wider—including the

households—but the basic models for security and privacy are essentially
unchanged.
Security features can be clumsy and awkward to use and can pres-

measures are all too often disabled or bypassed by the users they are
intended to protect. Because the intent of security is to make a system

balance between the two.

two systems because it is much easier than rekeying the data by hand.

16 See University of Washington, “Lab 11—Computer Security Basics,” Winter 2006,

available at http://www.cs.washington.edu/education/courses/100/06wi/labs/lab11/
lab11.html.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

ENHANCING CYBERSECURITY 81

But establishing an electronic link between the systems may add an access
path that is useful to an intruder. Taking into account the needs of usable
security might call for establishing the link but protecting it or tearing
down the link after the data has been transferred.
In other cases, security techniques do not transfer well from one tech-

password on a mobile device than on a keyboard, and yet many mobile

applications for a Web service require users to use the same password for
access as they do for the desktop computer equivalent.

well as technological and psychological ones. Researchers have found

that the development of usable security requires deep insight into the
human-interaction dimensions of the application for which security is
being developed and of the alignment of technical protocols for security

4.2.3 Law
U.S. domestic law, international law, and foreign domestic law affect
cybersecurity in a number of ways.

Domestic Law
-
eral statutes addressing various aspects of cybersecurity either directly or
indirectly.17 (The acts discussed below are listed with the date of original
passage, and “as amended” should be understood with each act.)

actions. These statutes include the Computer Fraud and Abuse Act of
1986 (prohibits various intrusions on federal computer systems or on
computer systems used by banks or in interstate and foreign commerce);
the Electronic Communications Privacy Act of 1986 (ECPA; prohibits

1996 (outlaws theft of trade secret information, including electronically

stored information, if “reasonable measures” have been taken to keep
it secret); the Federal Wiretap Act of 1968 as amended (often known as
Title III; prohibits real-time surveillance of electronic communications

of 1978 (FISA; establishes a framework for the use of “electronic surveil-

17Eric A. Fischer, Federal Laws Relating to Cybersecurity: Overview and Discussion of Pro-
posed Revisions
www.fas.org/sgp/crs/natsec/R42114.pdf.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

82 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

lance” conducted to obtain information about a foreign power or foreign

territory that relates to the national defense, the security, or the conduct of
the foreign affairs of the United States, also known as “foreign intelligence
information”). As this report is being written, the scope and the nature
of precisely how federal agencies have complied with various portions of
FISA are under investigation.

event that important information is compromised. If such information is

of the individuals with whom such information is associated. Federal

securities law (the Securities Act of 1933 and the Securities Exchange Act

and accurate information about risks and events that is important to an

investment decision. Under this authority, the Securities and Exchange
Commission’s Division of Corporation Finance in 2011 provided volun-

relating to cybersecurity risks and cyber incidents.18

Several federal statutes assign responsibility within the federal gov-
ernment for various aspects of cybersecurity, including the Computer
Security Act of 1987 (National Institute of Standards and Technology
[NIST], responsible for developing security standards for non-national-
security federal computer systems); the Paperwork Reduction Act of 1995

cybersecurity policies); the Clinger-Cohen Act of 1996 (agency heads

policies and procedures); the Homeland Security Act of 2002 (HSA;

Department of Homeland Security [DHS], responsible for cybersecurity
for homeland security and critical infrastructure); the Cyber Security
Research and Development Act of 2002 (NSF and NIST, research respon-
-

cybersecurity responsibilities, established a central federal incident center,

promulgating federal cybersecurity standards).

Finally, national security law may affect how the United States may
itself use cyber operations in an offensive capacity for damaging adver-
sary information technology systems or the information therein. For
example, the War Powers Act of 1973 restricts presidential authority to use
the U.S. armed forces in potential or actual hostilities without congressio-

18U.S. Securities and Exchange Commission, Division of Corporation Finance, “CF

Disclosure Guidance: Topic No. 2—Cybersecurity,” October 13, 2011, available at http://

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

ENHANCING CYBERSECURITY 83

Powers Act is poorly suited to U.S. military forces that might engage in

within which is resident a great deal of cybersecurity knowledge—can

cooperate with civil agencies on matters related to cybersecurity.

International Law

cyber operations that cross international boundaries. However, one inter-

related actions or activities, to improve national capabilities for inves-

tigating such crimes, and to increase cooperation on investigations.19
That convention also obliges ratifying states to create laws allowing law

in wiretapping, and obtain real-time and stored communications data,

whether or not the crime under investigation is a cybercrime.
International law does potentially touch on hostile cyber operations
that cross international boundaries when a hostile cyber operation is the
instrumentality through which some regulated action is achieved. A par-

Charter and the Geneva and Hague Conventions.

The UN Charter is the body of treaty law that governs when a nation

how the UN Charter should be interpreted with respect to cyberattacks

result from three fundamental facts:

• The UN Charter was written in 1945, long before the notion of

cyberattacks was even imagined. Thus, the framers of the charter could

be inferred from historical precedent and practice, and there are no such

19 Drafted by the Council of Europe in Strasbourg, France, the convention is available

on the Web site of the Council of Europe at http://conventions.coe.int/Treaty/en/Treaties/
Html/185.htm.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

84 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

• The charter is in some ways internally inconsistent. It bans certain

acts (uses of force) that could damage persons or property, but allows
other acts (economic sanctions) that could damage persons or property.
Offensive cyber operations may well magnify such inconsistencies.

The Geneva and Hague Conventions regulate how a nation engaged

-

to be legally protected entities, such as hospitals); the principle of propor-

tionality (the military advantage gained by a military operation must not

and the principle of distinction (military operations may be conducted

only against “military objectives” and not against civilian targets). But as
with the UN Charter, the Geneva Conventions are silent on cyberattack as

one nation to acquire intelligence information from another. Espionage is

an illegal activity under the domestic laws of virtually all nations, but not
under international law. There are no limits in international law on the
methods of collecting information, what kinds of information can be col-
lected, how much information can be collected, or the purposes for which
collected information may be used.
As noted above, international law is also articulated through cus-
tomary international law—that is, the general and consistent practices of

in the form of treaties but rather is found in international case law. Here
too, guidance for what counts as proper behavior in cyberspace is lack-
ing. Universal adherence to norms of behavior in cyberspace could help
to provide nations with information about the intentions and capabilities

such norms today.

Foreign Domestic Law

Foreign nations are governed by their own domestic laws that relate

activities in cyberspace, the United States and that other nation are more
likely to be able to work together to combat hostile cyber operations that

the production of child pornography and spam.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

ENHANCING CYBERSECURITY 85

But when security- or privacy-related laws of different nations are

inconsistent, foreign law often has an impact on the ability of the United
States to trace the origin of hostile cyber operations against the United
States or to take action against perpetrators under another nation’s juris-
diction. Legal dissimilarities have in the past impeded both investigation
and prosecution of hostile cyber operations that have crossed interna-
tional boundaries.

4.2.4 Organizational Purview

to a hostile operation in cyberspace by a nonstate actor is often char-

requires a law enforcement response or a national security response. This

a national security response paradigm, whereas a law enforcement para-

digm might call for strengthened passive defense measures to mitigate
the immediate threat and other activities to identify and prosecute the
perpetrators.

to be clear, and many factors relevant to a decision will not be known. For
-
mously, and clandestinely, knowledge about the scope and character of
a cyberattack will be hard to obtain quickly. Attributing the incident to a

period of time. Other nontechnical factors may also play into the assess-
ment of a cyber incident, such as the state of political relations with other
nations that are capable of launching the cyber operations involved in
the incident.
Once the possibility of a cyberattack is made known to national
authorities, information must be gathered to determine perpetrator and
purpose, and must be gathered using the available legal authorities. Some
entity within the federal government integrates the relevant information,
and then it or another higher entity (e.g., the National Security Council)

a law enforcement or national security response is called for.

How might some of the factors described above be taken into account
-
ties are likely to predominate in the decision-making calculus if the scale
of the attack is small, if the assets targeted are not important military

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

86 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

assets or elements of critical infrastructure, or if the attack has not created

-

as a use of force or an armed attack on the United States had it been

carried out with kinetic means would almost certainly be regarded as a
-
nation are the geographic origin of the attack and the nature of the party
responsible for the attack (e.g., national government, terrorist group).
U.S. law has traditionally drawn distinctions between authorities
granted to law enforcement (Title 18 of the U.S. Code), the Department
of Defense (Title 10 of the U.S. Code), and the intelligence community
(Title 50 of the U.S. Code), but in an era of international terrorist threats,
these distinctions are not as clear in practice as when threats to the United
States emanated primarily from other nations. That is, certain threats to
the United States implicate both law enforcement and national security
equities and call for a coordinated response by all relevant government
agencies.
When critical infrastructure is involved, the entity responsible for

taken has evolved over time. Today, the National Cybersecurity and Com-

the U.S. government that fuses information on the above factors and inte-
grates the intelligence, national security, law enforcement, and private-
20

Whatever the mechanisms for aggregating and integrating informa-

tion related to a cyber incident, the function served is an essential one—
and if the relationships, the communications pathways, the protocols for

well in advance, responses to a large unanticipated cyber incident will be

uncoordinated and delayed.

4.2.5 Deterrence
Deterrence relies on the idea that inducing a would-be intruder to
refrain from acting in a hostile manner is as good as successfully defend-
ing against or recovering from a hostile cyber operation. Deterrence
through the threat of retaliation is based on imposing negative conse-
quences on adversaries for attempting a hostile operation.
Imposing a penalty on an intruder serves two functions. It serves

20See U.S. Department of Homeland Security, “About the National Cybersecurity and
Communications Integration Center,” available at http://www.dhs.gov/about-national-
cybersecurity-communications-integration-center.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

ENHANCING CYBERSECURITY 87

the goal of justice—an intruder should not be able to cause damage with
impunity, and the penalty is a form of punishment for the intruder’s
misdeeds. In addition, it sets the precedent that misdeeds can and will
result in a penalty for the intruder, and it seeks to instill in future would-
be intruders the fear that he or she will suffer from any misdeeds they
might commit, and thus to deter such action, thereby discouraging further
misdeeds.
What the nature of the penalty should be and who should impose the
penalty are key questions in this regard. (Note that a penalty need not

attribution of hostile action to a responsible party is also a threshold issue,

because imposing penalties on parties not in fact responsible for a hostile

For deterrence to be effective, the penalty must be one that affects

the adversary’s decision-making process and changes the adversary’s

to or destruction of the information technology assets used by the per-

petrator to conduct a hostile cyber operation; loss of or damage to other
assets that are valuable to the perpetrator; or other actions that might
damage the perpetrator’s interests.
But the appropriate choice of penalty is not separate from the party
-
tile operation might undertake destructive actions against a perpetrator
raises the spectre of vigilantism and easily leads to questions of account-
ability and/or disproportionate response.
Law enforcement authorities and the judicial system rely on federal

process in which a misdeed is investigated, perpetrators are prosecuted,

and if found guilty are subject to penalties imposed by law. As noted in
Section 4.2.3, a number of laws impose penalties for the willful conduct

such laws will deter such violations.

national security, the penalty can take the form of diplomacy such as
demarches and breaks in diplomatic relations, economic actions such as
trade sanctions, international law enforcement such as actions taken in
international courts, nonkinetic military operations such as deploying
forces as visible signs of commitment and resolve, military operations
such as the use of cruise missiles against valuable adversary assets, or
cyber operations launched in response.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

88 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

Deterrence was and is a central construct in contemplating the use of

nuclear weapons and in nuclear strategy—because effective defenses

retaliation to persuade an adversary to refrain from using nuclear weap-

ons is regarded by many as the most plausible and effective alternative to
ineffective or useless defenses. Indeed, deterrence of nuclear threats in the
Cold War established the paradigm in which the conditions for successful
deterrence are largely met.
It is an entirely open question whether cyber deterrence is a viable
strategy. Although nuclear weapons and cyber weapons share one key
characteristic (the superiority of offense over defense), they differ in many

it is not plausible to assume the same for a large-scale cyberattack.

4.3 ASSESSING CYBERSECURITY

have strong intuitions that some systems are more secure than others, but
assessing a system’s cybersecurity posture turns out to be a remarkably
thorny problem. From a technical standpoint, assessing the nature and

•
precisely specify what it means for the system to operate securely. Indeed,
many vulnerabilities in systems can be traced to misunderstandings or a
lack of clarity about what a system should do under a particular set of
circumstances (such as the use of penetration techniques or attack tools
that the defender has never seen before).
• A system that contains functionality that should not be present
-
tionality may entail doing something harmful. Discovering that a system
-

Viewing system security from an operational perspective rather than

just a technical one shows that security is a holistic, emergent, multi-

many factors other than technology affect the security of a system, includ-

of the people using the system, the access control policy in place, the
boundaries of the system (e.g., are users allowed to connect their own

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

ENHANCING CYBERSECURITY 89

threat against the system.

Accordingly, a discussion cast simply in terms of whether a system
is or is not secure is almost certainly misleading. Assessing the security

What does the discussion above imply for the development of cyber-
security metrics—measurable quantities whose value provides informa-

Metrics are intended to help individuals and companies make rational

quantitative decisions about whether or not they have “done enough”
with respect to cybersecurity. These parties would be able to quantify

be able to determine if System A is more secure than System B. Good

cybersecurity metrics would also support a more robust insurance market
in cybersecurity founded on sound actuarial principles and knowledge.
The holy grail for cybersecurity analysts is an overall cybersecurity
metric that is applicable to all systems and in all operating environ-
ments. The discussion above, not to mention several decades’ worth of

be achieved for the foreseeable future. But other metrics may still be use-
ful under some circumstances.
It is important to distinguish between input metrics (metrics for what
system users or designers do to the system), output metrics (metrics for
what the system produces), and outcome metrics (metrics for what users
or designers are trying to achieve—the “why” for the output metrics).21

• -
ment that are believed to be associated with desirable cybersecurity out-

-
rity are not validated in practice, and/or are established intuitively.
• -
eters that are believed to be associated with desirable cybersecurity out-

of cybersecurity incidents in a given year. Output metrics can often be

assessed through the use of a red team. Sometimes known as “white-hat”

21 See Republic of South Africa, “Key Performance Information Concepts,” Chapter 3

in Framework for Managing Programme Performance Information, National Treasury, Pretoria,

framework/part3.pdf.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

90 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

or “ethical” hackers, a red team attempts to penetrate a system’s security

under operational conditions with the blessing of senior management,
and then reports to senior management on its efforts and what it has
learned about the system’s security weaknesses. Red teaming is often the

• -

number of cybersecurity incidents and thereby reduce the annual losses

-
curity budget unwisely, the presumed relationship between budget and
number of incidents may well not hold.
Also, the correlation between improvement in a cybersecurity input
metric and better cybersecurity outcomes may well be disrupted by an
-
ever, against adversaries that do not adapt—and thus the resulting cyber-
security posture against the entire universe of threats may in fact be
improved.

4.4 ON THE NEED FOR RESEARCH

Within each of the approaches for improving cybersecurity described

-
lems. A good solution to a cybersecurity problem is one that is effective, is

includes developing new knowledge on how to improve the prospects for

deployment and use of known solutions to given problems.
Second, even assuming that everything known today about improv-
ing cybersecurity was immediately put into practice, the resulting cyber-
security posture—although it would be stronger and more resilient than
it is now—would still be inadequate against today’s high-end threat, let
alone tomorrow’s. Closing this gap—a gap of knowledge—will require
substantial research as well.
Several principles, described in the 2007 NRC report Toward a Safer and
More Secure Cyberspace, should shape the cybersecurity research agenda:

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

ENHANCING CYBERSECURITY 91

• Conduct cybersecurity research as though its application will be impor-

tant -
ing how cybersecurity technologies and practice can be applied in real-

factors as well as technological ones.

• Hedge against uncertainty in the nature and severity of the future
cybersecurity threat. A balance in the research portfolio between research
addressing low-end and high-end threats is necessary. Operationally, it
means that the R&D agenda in cybersecurity should be both broader
and deeper than might be required if only low-end threats were at issue.
(Because of the long lead time for large-scale deployments of any mea-
sure, part of the research agenda must include research directed at reduc-
ing those long lead times.)
• Ensure programmatic continuity. A sound research program should
also support a substantial effort in research areas with a long time hori-

intermediate milestones, although such milestones should be treated as

midcourse corrections rather than “go/no-go” decisions that demoral-

should engage both academic and industry actors, and it can involve col-
laboration early and often with technology-transition stakeholders, even
in the basic science stages.
• Respect the need for breadth in the research agenda. Cybersecurity

to imagine that one or even a few promising approaches will prevent or

even substantially mitigate cybersecurity risks in the future, and cyber-
security research must be conducted across a broad front. In addition,
because qualitatively new attacks can appear with little warning, a broad

develop countermeasures against these new attacks when they appear.

Priorities are still important, but they should be determined by those in a
position to respond most quickly to the changing environment—namely,
the research constituencies that provide peer review and the program
managers of the various research-supporting agencies. Notions of breadth
and diversity in the cybersecurity research agenda should themselves
be interpreted broadly as well, and might well be integrated into other
research programs such as software and systems engineering, operating
systems, programming languages, networks, Web applications, and so on.
• Disseminate new knowledge and artifacts (e.g., software and hardware
prototypes) to the research community. Dissemination of research results
beyond one’s own laboratory is necessary if those results are to have a

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

92 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

wide impact—a point that argues for cybersecurity research to be con-

be shared as widely as possible includes threat and incident information

that can help guide future research.

As for the impact of research on the nation’s cybersecurity posture,

-
tial difference at all. Indeed, many factors must be aligned if research is

regard security as a product attribute that is coequal with performance

and cost; IT researchers must be willing to value cybersecurity research
as much as they value research into high-performance or cost-effective
computing; and IT purchasers must be willing to incur present-day costs

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

Tensions Between Cybersecurity

and Other Public Policy Concerns

As noted in Chapter 1, progress in public policy to improve the

nation’s cybersecurity posture has not been as rapid as might have been
-

measures taken to improve cybersecurity potentially have negative effects

-
cant tensions.

5.1 ECONOMICS
Economics and cybersecurity are intimately intertwined in the public
policy debate in two ways—the scale of economic losses due to adversary

and nature of vendor and end-user investments in cybersecurity. (To date,

the economic losses due to cyberattack are negligible by comparison.)

5.1.1 Economic Approaches to Enhancing Cybersecurity

As implied in Chapter 4, economic approaches to promote cyberse-
curity should identify actions that lower barriers and eliminate disincen-

cybersecurity or actions that cause harm in cyberspace. Some of the pos-

93

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

94 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

national consensus on which of these, if any, should be implemented as

policy, and legislation has not been passed on any of these approaches.

•
— One type of information is more and better information about
threats and vulnerabilities, which could enable individual organi-

victim to a given threat.

— A second type of information is information about an individual
-

appropriate best-practice cybersecurity measures for those sectors.

Another party, such as a government regulatory agency in the case
-

Commission for publicly held companies, would audit the adequacy

results of such audits.1 Publicity about such results would in prin-

postures.
• Insurance. The insurance industry may have a role in incentiv-

losses incurred because of cybercrime will have lower premiums if they

have stronger cybersecurity postures, and thus market forces will help
to drive improvements in cybersecurity. A variety of reasons stand in the
way of establishing a viable cyber-insurance market: the unavailability
of actuarial data to set premiums appropriately; the highly correlated
nature of losses from outbreaks (e.g., from viruses) in a largely homoge-

the intangible nature of losses and assets, and unclear legal grounds.
• . This approach is based on three

-
-
petitive position in the marketplace. Relevant standards-setting bodies
include the National Institute of Standards and Technology for the U.S.

1 President’s Council of Advisors on Science and Technology, Immediate Opportunities

for Strengthening the Nation’s Cybersecurity, November 2013, available at http://www.white

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

TENSIONS BETWEEN CYBERSECURITY AND OTHER POLICY CONCERNS 95

the private sector.

• Nonregulatory public-sector mechanisms. This approach uses some of
the tools below to promote greater attention to and action on cybersecurity.
— Procurement regulations can be used to insist that information
technology systems delivered to government are more secure. With
such systems thus available, vendors might be able to offer them to
other customers as well.
— The federal government can choose to do business only with

— The federal government itself could improve its own cybersecu-

investment in cybersecurity.
— Public recognition of adherence to high cybersecurity stan-

— Voluntary standards setting by government can specify cyberse-

• Liability. This approach presumes that vendors and/or system

-
security breaches will make greater efforts than they do today to reduce
the likelihood of such breaches. Opponents argue that the threat of liabil-

secrets, and reduce the competitiveness of products subject to such forces.

Moreover, they argue that vendors and operators should not be held
responsible for cybersecurity incidents that can result from factors that
are not under their control.
• Direct regulation. Regulation would be based on enforceable man-
dates for various cybersecurity measures. This is the ultimate form of
changing the business cases—comply or face a penalty. Direct regulation

kinds of standards relating to cybersecurity “best practices” regarding

the services they provide to consumers or their own internal practices.
Opponents of direct regulation argue that several factors would make
2 For

used to address actual threats. Costs of implementation would be highly

variable and dependent on a number of factors beyond the control of the

Security: Implications for Regulatory Policy,” Journal of Regulatory Economics 31(1):37-55,

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

96 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

regulated party. Risks vary greatly from system to system. There is wide

measures.

-
tant in cybersecurity, the present administration is promulgating its
Cybersecurity Framework. Under development as this report is being
written, the framework is a set of core practices to develop capabilities
to manage cybersecurity.3 To encourage critical infrastructure companies

• Special consideration in the awards process for federal critical

infrastructure grants;
• Priority in receiving certain government services, such as technical
assistance in non-emergency situations;
• Reduced tort liability, limited indemnity, higher burdens of proof
to establish liability, or the creation of a federal legal privilege that pre-
empts state disclosure requirements; and
• Public recognition for adopters of the framework.

5.1.2 Economic Impact of Compromises in Cybersecurity

Regarding the negative economic impact of compromises in cyber-
security, numbers as high as $1 trillion annually have been heard in the
public debate, and in 2012, the commander of U.S. Cyber Command
asserted that the loss of industrial information and intellectual property
through cyber espionage constitutes the “greatest transfer of wealth in
history.”5 But in point of fact, the uncertainty in the actual magnitude is
quite large, and other analysts speculate that the actual numbers—though

known estimates.

3 -
rity Framework,” available at http://www.nist.gov/cyberframework/.
4 Michael Daniel, “Incentives to Support the Adoption of the Cybersecurity Frame-

work,” August 6, 2013, available at http://www.whitehouse.gov/blog/2013/08/06/

incentives-support-adoption-cybersecurity-framework.
5

posts/2012/07/09/nsa_chief_cybercrime_constitutes_the_greatest_ transfer_of_wealth_in_
-
sial and are discussed in Section 3.6 on threat assessment.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

TENSIONS BETWEEN CYBERSECURITY AND OTHER POLICY CONCERNS 97

the negative economic impact of adversarial cyber operations. However,

intellectual property is unlike physical property in some very important
ways, not the least of which is the fact that “stolen” intellectual property is
still available
control over it. “Stolen” intellectual property is really copied intellectual

the value of intellectual property what it cost to produce that intellectual

is no assurance that a taker of intellectual property will be able to use it

properly or effectively.
Uncertainties also apply to valuing the loss of sensitive business infor-
mation (such as negotiating strategies and company inside information).

Company B, a competitor, knows it, Company B may be able to undercut

Company A and unfairly win a contract. Insider information about Com-
pany C may lead to stock market manipulation. The loss of a contract is
easy to value, but given that many factors usually affect the outcomes
of such competitions, how could one tie a competitive loss to the loss of

-
vice disruptions often delay service but do not deny it, and a customer
who visits a Web site that is inaccessible today may well visit it tomor-
row when it is accessible. Should the opportunity cost of a disruption

company suffering a cybersecurity incident that is made public may see

its stock price suffer, but a McAfee-CSIS report indicates that such a price
drop usually lasts no more than a quarter.6
Last, a number of other factors also affect the reliability of various

from reporting it. The surveys taken to determine economic loss are often
not representative, and questions about loss can be structured in a way
that does not allow erroneously large estimates to be corrected by errors
on the other side of the ledger.7

6Center for Strategic and International Studies, The Economic Impact of Cybercrime and
Cyber Espionage
rp-economic-impact-cybercrime.pdf.
7

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

98 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

Estimates of losses due to cybercrime are intended to motivate action

to deal with the cybercrime problem, and larger estimates presumably
make the problem more urgent for policy makers to address. But disputes
about methodology can erode the credibility of demands to take imme-
diate action, even when the lower end of such estimates may be large
enough from a public policy standpoint to warrant action.
Perhaps more important, even if the economic losses are large, users
of information technology may be making a judgment that such losses are
simply a cost of doing business. Although they may be loath to acknowl-
edge it publicly, some users argue that they will not invest in security
improvements until the losses they are incurring make such an invest-
ment economically worthwhile. Although economic calculations of this
nature are unlikely to be the only reason that users fail to invest at a level

5.2 INNOVATION
A stated goal of U.S. public policy is to promote innovation in prod-
ucts and services in the private sector. In information technology (as in

offering, at least until a competitor comes along. During this period, the
vendor has the chance to establish relationships with customers and to

Furthermore, customers of the initial product or service may well be

reluctant to incur the costs of switching to a competitor.
Policy actions that detract from the ability of the private sector to
innovate are inherently suspect from this perspective, and in particular
policy actions to promote greater attention to cybersecurity in the private
sector often run up against concerns that these actions will reduce inno-
vation. The logic of reducing time to market for information technology
products or services runs counter to enhancing security, which adds com-

-
ment is not conducive to focusing on security from the outset. Software

are thrown away. In this environment, it makes very little sense to invest
up front in that kind of adherence unless such adherence is relatively

Furthermore, to apply secure development principles such as those

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

TENSIONS BETWEEN CYBERSECURITY AND OTHER POLICY CONCERNS 99

very well and in some considerable detail just what the ultimate artifact
is supposed to do. But some large software systems emerge from incre-
mental additions to small software systems in ways that have not been
anticipated by the designers of the original system, and sometimes users
change their minds about the features they want, or even worse, want
contradictory features.
Functionality that users demand is sometimes in tension with secu-
rity as well. Users demand attributes such as ease of use, interoperability,
and backward compatibility. Often, information technology purchasers

ease of use, performance, and dominance in a market, although in recent

years the criteria for product selection have broadened to include security

-
ping a product—whether to ship with the security features turned on or

often get in the way of using the product, an outcome that may lead to
frustration and customer dissatisfaction. Inability to use the product may
also result in a phone call to the vendor for customer service, which is

with security features turned off tends to reduce one source of customer
complaints and makes it easier for the customer to use the product. The
-
rity breaches that may occur as a result, at which point tying those con-
-
stances, many vendors will chose to ship with security turned off—and
many customers will simply accept forever the vendor’s initial default
settings.
Restricting users’ access privileges often has serious usability impli-
cations and makes it harder for users to get legitimate work done, as for

a time-urgent basis. Program features that enable adversary access can be

turned off, but doing so may disable functionality needed or desired by
users. In some cases, closing down access paths and introducing cyberse-
curity to a system’s design slows it down or makes it harder to use. Other

to respond quickly in an emergency situation.

At the level of the computer programs needed for an innovative
product or service, implementing the checking, monitoring, and recovery
needed for secure operation requires a lot of computation and does not
come for free. In addition, user demands for backward compatibility at
the applications level often call for building into new systems some of the
same security vulnerabilities present in the old systems.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

100 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

5.3 CIVIL LIBERTIES

substantial controversy. Civil liberties have an important informational

dimension to them, and cybersecurity is in large part about protecting
information, so it is not surprising that measures taken to enhance cyber-
security might raise civil liberties concerns.

5.3.1 Privacy

information, the term “privacy” usually refers to making ostensibly pri-

vate information about an individual unavailable to parties who should
not have that information. Privacy interests attach to the gathering, con-
trol, protection, and use of information about individuals.
Privacy and cybersecurity intersect in a number of ways, although the
-
8
vacy. In one basic sense, cybersecurity measures can protect privacy—an
intruder seeking ostensibly private information (e.g., personal e-mails or

stymied by good cybersecurity measures.

But certain measures taken to enhance cybersecurity can also violate

all in-bound network

than its intended recipient is regarded by some as a violation of privacy,

-

Another measure for enhancing cybersecurity calls for sharing tech-

identifying and responding to intrusions. Technical information is infor-

mation associated directly with the mechanisms used to effect access, to

8 What an individual regards as “private” may not be the same as what the law

designates as being worthy of privacy protection—an individual may believe a record of

law may say otherwise. No technical security measure will protect the privacy interests of

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

TENSIONS BETWEEN CYBERSECURITY AND OTHER POLICY CONCERNS 101

• Malware (or intrusion) signatures. Sharing such information could

help installations identify malware before it has a chance to affect vulner-
able systems or networks.
• Time-correlated information on intrusions. Such information is an
essential aspect of attack assessment, because simultaneous intrusions on
multiple installations across the nation might signal the onset of a major
attack. Important installations thus must be able to report their status to
authorities responsible for coordinating such information.
• Frequency, nature, and effect of intrusions. How often are intrusions of

In some cases, real-time or near-real-time information sharing is a

prerequisite for a prompt response. In other cases, after-the-fact coordina-
tion of information from multiple sources is necessary for forensic pur-
poses or for detecting similar intrusions in the future. Nonetheless, many

about possible antitrust or privacy violations and loss of advantages with

-
times reluctant to share such information with government agencies, for
fear of attracting regulatory attention. Similar issues also arise regarding
the sharing of threat information among agencies of the U.S. government,
especially those within the intelligence community. The result can be that
a particular method of intrusion may be known to some (e.g., elements of
the intelligence community or the military) and unknown to others (e.g.
industry and the research community), thus impeding or delaying the
development of effective countermeasures.

information is not removed from the information to be shared, or if the

scope of the allowed purposes for sharing information goes beyond mat-
ters related to cybersecurity. The essential privacy point is that systemati-

inspection of all
in any way. If the entities with whom the information is shared are law
enforcement or national security authorities, privacy concerns are likely
to be even stronger.

5.3.2 Free Expression

of speech, freedom of the press, freedom of assembly, and freedom to peti-

tion the government, encompasses civil liberties that are often infringed

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

102 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

when the causes involved are unpopular. In such cases, one way of pro-

means for them to do so anonymously. Thus, an individual may choose

to participate in an unattributable online discussion that is critical of

to strong authentication at the packet level. Few people object to online

banks using strong authentication—but many have strong objections to
mandatory strong authentication that is independent of the application in
question, and in particular they are concerned that strong authentication

that mandatory strong authentication should apply to a second Internet,

which would be used by critical infrastructure providers and others who
preferred to operate in a strongly authenticated environment. Although a
new network with such capabilities would indeed help to identify attack-
ers under some circumstances, attackers would nevertheless invariably
seek other ways to counter the authentication capabilities of this alterna-
tive, such as compromising the machines connected to the new network.9
In addition, a new network may come with a number of drawbacks,
such as retaining the economies of the present-day Internet and prevent-
ing any connection, physical or logical, to the regular Internet through

with large networks indicates that maintaining an actual air-gap isolation

between two Internets would be all but impossible—not for technical
reasons but because of a human tendency to make such connections for
the sake of convenience.

5.3.3 Due Process

An important element of protecting civil liberties is due process—the
state cannot deprive individuals of civil liberties in the absence of due
process. Some cybersecurity measures can put pressure on due process.
-

civilians in the process of responding to an adversarial cyber operation.

9Steven M. Bellovin, “Identity and Security,” IEEE Security and Privacy 8(2, March-
April):88, 2010.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

TENSIONS BETWEEN CYBERSECURITY AND OTHER POLICY CONCERNS 103

Also, it is often alleged that responses to cyber intrusions must happen

very rapidly—in a matter of milliseconds—because the intrusions occur
very rapidly. Leaving aside the question of whether a rapid response is in
fact required in all circumstances, even those situations in which a rapid
response is necessary raise the question of whether due process can be
-
bution of a cyber intrusion to the legally responsible actor, may simply
be impossible to accomplish in a short time, and yet accomplishment of
these tasks may be necessary elements of due process.

5.4 INTERNATIONAL RELATIONS AND NATIONAL SECURITY

5.4.1 Internet Governance

In the international environment of the Internet, “Internet gover-
-
net governance includes management and coordination of the technical
underpinnings of the Internet such as the Domain Name System, and
development of the standards and protocols that enable the Internet to
function.10
there is not broad international agreement, would include matters such
as controlling spam; dealing with use of the Internet for illegal purposes;
resolving the “digital divide” between developed and developing coun-
tries; protecting intellectual property other than domain names; protect-

e-commerce.11
International debates over what should constitute the proper scope
of Internet governance are quite contentious, with the United States gen-

security from threats in cyberspace.

But different nations have different conceptions of what constitutes

the U.S. conception of cybersecurity. These nations argue that Internet

poses threats to their national security and political stability (e.g., news

10 Lennard G. Kruger, “Internet Governance and the Domain Name System: Issues for

Congress,” Congressional Research Service, November 13, 2013, available at http://www.

fas.org/sgp/crs/misc/R42351.pdf.
11 National Research Council, Signposts in Cyberspace: The Domain Name System and

Internet Navigation, The National Academies Press, Washington, D.C., 2005.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

104 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

stories about corruption at high levels of government) and thus that

-
ern nations have opposed such measures in multiple forums, and in
particular have opposed attempts to broaden the Internet governance
-
nance are thus often disputes over content regulation in the name of
Internet security.
-
dards for passing information and what these protocols and standards

both in other nations and in the United States—that would require packet-
level authentication in the basic Internet protocols in the name of pro-
moting greater security. Requiring authentication in this manner would
implicate all of the civil liberties issues discussed above as well as the
performance and feasibility issues discussed in Chapter 2.

5.4.2 Reconciling Tensions Between Cybersecurity and Surveillance

As is true for all nations, the United States has multiple policy objec-
-
ing cybersecurity internationally, as illustrated in the 2011 White House
International Strategy for Cyberspace, a document stating that “assuring
the security and privacy of data [emphasis
added], and the integrity of the interconnected networks themselves are
all essential to American and global economic prosperity, security, and the
promotion of universal rights.”12
The United States also collects information around the world for
intelligence purposes, and much of such collection depends on the pen-
etration of information technology systems and networks to access the
information transiting through them. Cybersecurity measures taken by
the users, owners, and operators of these systems and networks thus tend
to frustrate intelligence collection efforts, and according to public reports,
the United States has undertaken a variety of efforts to circumvent or
weaken these measures.

12 White
House, International Strategy for Cyberspace: Prosperity, Security, and Openness in
a Networked World
rss_viewer/international_strategy_ for_cyberspace.pdf.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

TENSIONS BETWEEN CYBERSECURITY AND OTHER POLICY CONCERNS 105

On the face of it, these two policy objectives are inconsistent with
each other—one promotes cybersecurity internationally and the other

makers have pursued mutually incompatible objectives—governments

of incompatible objectives is to acknowledge the tension between them,

of another, and the likely operational impact of policy tradeoffs made in

different ways must be assessed and compared.
An illustration of this tradeoff is the Communications Assistance for
Law Enforcement Act (CALEA) of 1994, which directs the telecommunica-
tions industry to design, develop, and deploy systems that support law
enforcement requirements for electronic surveillance. Intelligence derived
from electronic surveillance of adversaries (including criminals, hostile
nations, and terrorists) is an important factor in shaping the U.S. response
to adversary activities. But measures taken to facilitate CALEA-like access

of the systems affected by those measures.13

Efforts continue today to introduce means of government access
to the infrastructure of electronic communications,14 and some of these
efforts are surreptitious. Regardless of the legality and/or policy wisdom
of these efforts, a fundamental tradeoff faces national policy makers—
whether reduced security for the communications infrastructure is worth
-
-
munications may be most obvious in the short term, whereas the costs of
reduced security are likely to be felt in the long term. Advocates for main-
taining government access to adversary communications in this manner

Opponents of this approach will argue the reverse.

13

Affair,” IEEE Spectrum

telecom/security/the-athens-affair.
14

in the NSA Surveillance Revelations,” IEEE Security and Privacy

2013, available at http://www.computer.org/cms/Computer.org/ComputingNow/pdfs/
MakingSenseFromSnowden-IEEESecurityAndPrivacy.pdf, and “Making Sense of Snowden,
IEEE Security and Privacy 12(1,

MSP.2013.161.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

106 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

5.4.3 Norms of Behavior in Cyberspace

International norms of behavior are intended to guide states’ actions,
sustain partnerships, and support the rule of law.15 Norms of international
behavior are established in many ways, including the customary practice

behavior that is permitted or proscribed.

The U.S. International Strategy for Cyberspace states that in cyberspace,
the United States supports the development of a variety of norms for
upholding fundamental freedoms; respect for property; valuing privacy;
protection from crime; right of self-defense; global interoperability; net-
work stability; reliable access; multi-stakeholder governance; and cyber-
security due diligence. But even a casual inspection of this set of possible
norms would suggest that an international consensus for these norms
would not be easy to achieve.

to which other parties are in fact complying with them—parties can

-
space to an appropriately responsible actor is problematic under many

behavior in cyberspace.
For illustrative purposes, two domains in which norms may be rel-
evant to cybersecurity relate to conducting cyber operations for differ-

acceptable and unacceptable behavior.

Distinguishing Between Cyber Operations Conducted for

Different Purposes
In the cybersecurity domain, norms of behavior are contentious as

information related to national security and foreign policy and collecting

information related to economic and business interests, arguing that the
-
tional law) and that the second constitutes theft of intellectual property
and trade secrets for economic advantage.

15
White House, International Strategy for Cyberspace—Prosperity, Security, and Openness
in a Networked World, May 2011, available at http://www.whitehouse.gov/sites/default/

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

TENSIONS BETWEEN CYBERSECURITY AND OTHER POLICY CONCERNS 107

Most other nations do not draw such a sharp line between these two
kinds of information collection. But even were all nations to agree in
principle that such a line should be drawn, how might these two types
of information (information related to national security and information

-
-

and others, remain to be answered.

And a further policy debate remains to be settled. Should the United
States maintain the distinction between national security information and

advantages and disadvantages, if any, to the United States of abandoning

Today, the United States does not target intelligence assets for the

on the desire of the United States to uphold a robust legal regime for the

competitors from different countries to make their best business cases on

proprietary information from the U.S. intelligence community about the

future generations of foreign products, such as airplanes or automobiles,
or about business operations and contract negotiating positions of their
competitors.
Such a change in policy would require the U.S. government to wrestle

well with foreign companies that they were trying to persuade to relo-
cate to the United States. And that use of its intelligence agencies might
well undercut the basis on which the United States could object to other

industries and lead to a “Wild West” environment in which anything

goes.
-

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

108 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

cyberattacks use the same approaches to penetrating a system or net-

if an intrusion is detected, the underlying intent may not be clear until

some time has passed. Given that the distinction between an attack and

States respond when it is faced with a cyber intrusion of unknown

agents in some critical military networks of the United States to collect

intelligence information. These agents are designed to be reprogrammable
in place—that is, Elbonia can update these agents with new capabilities.
During a time of crisis, U.S. authorities discover some of these agents and
learn that they have been present for a while, that they are sending back
to Elbonia very sensitive information, and that their capabilities can be
changed on a moment’s notice. Even if no harmful action has yet been
taken, it is entirely possible that the United States would see itself as being
the target of an impending Elbonian cyberattack.
The possibility of confusion also applies if the United States con-
-
tion is nondestructive, how—if at all—should the United States inform

are particularly important during periods of crisis or tension. During

such periods, military action may be more likely, and it is entirely plau-
sible that both sides would increase the intensity of the security scans
each conducts on its critical systems and networks. More intense secu-
rity scans often reveal offensive software agents implanted long before
the onset of a crisis and that may have been overlooked in ordinary
scans, and yet discovery of these agents may well prompt fears that an
attack may be impending.16

attack (or preparations for attack) should not preclude the possibility of

suggest that the nature of a targeted entity can provide useful clues to

measures in cyberspace, such as agreements to refrain from attacking

certain kinds of facilities, can help as well. Such questions are open at
this time.

16 Strategic
Studies Quarterly 6(3):46-70, 2012.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

TENSIONS BETWEEN CYBERSECURITY AND OTHER POLICY CONCERNS 109

Arms Control in Cyberspace17

The intent of an arms control agreement in general is usually to
-

or multilateral, and they can be cast formally as treaties, informally as

memorandums of understanding, or even more informally as coordinated
unilateral policies.
In principle, arms control agreements can limit or ban the signatories
from conducting some combination of research, development, testing,
production, procurement, or deployment on certain kinds of weapons;
limit or ban the use of certain weapons and/or the circumstances under
which certain weapons may or may not be used; or oblige signatories to
take or to refrain from taking certain actions under certain circumstances
-
dence-building measures).
For cyber weapons (where a cyber weapon is an information tech-
nology-based capability for conducting some kind of cyber intrusion),
any limit on research, development, testing, production, procurement, or
deployment of certain kinds of weapons is unlikely to be feasible. One

that such weapons have legitimate uses (e.g., both military and civilian
entities use such weapons to test their own defenses). Distinguishing
offensive capabilities developed for cyberattack from those used to shore

impossible task.

-
cial systems or power grids, much as nations today have agreed to avoid
targeting hospitals in a kinetic attack. Agreements to restrict use are by

has not prevented the world’s nations (including the United States) from
-
able” restrictions.

One issue is that nonstate actors may have access to some of the same
cyber capabilities as do national signatories, and nonstate actors are
unlikely to adhere to any agreement that restricts their use of such capa-

17 Much of the discussion in this section is based on Herbert Lin, “A Virtual Necessity:

Some Modest Steps Toward Greater Cybersecurity,” Bulletin of the Atomic Scientists, Septem-
ber 1, 2012, available at http://www.thebulletin.org/2012/september/virtual-necessity-
some-modest-steps-toward-greater-cybersecurity.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

110 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

ultimate origin. If the ultimate origin of a cyberattack can be concealed

successfully, holding the violator of an agreement accountable becomes
problematic.
-
plicate arms control agreements in cyberspace. A detected act of cyber
-
-
tation would go far beyond the current bounds of international law and

for essentially all nations.

used to promote stability and mutual understanding when kinetic weap-

ons are involved. Some possible TCBMs in cyberspace include (but are
not limited to):

• . Two or more nations agree to notify each other

of serious cyber incidents, and to provide each other with information
about these incidents.
• Joint exercises
a simulated cyber crisis that affects or involves both nations to see what
information each side would need from the other.
• Publication of declaratory policies and/or doctrine about how a nation
intends to use cyber capabilities, both offensive and defensive, to support
its national interests.
• regarding certain activities that might
be viewed as hostile or escalatory.
• Direct communication with counterparts during times of tension or
crisis.
• Mutual cooperation on matters related to securing cyberspace (e.g.,
jointly investigating the source of an attack).
• Imposing on nation-states an obligation to assist in the investigation
and mitigation of cyber intrusions emanating from their territories.

Perhaps the most important challenge to the development of useful

TCBMs in cyberspace is that offensive operations fundamentally depend
-
sures are, as the name suggests, intended to be reassuring to an adversary;
the success of most offensive operations depends on an adversary being
falsely reassured. Thus, the misuse of these measures may well be an
element of an adversary’s hostile use of cyberspace. In addition, many
TCBMs are conventions for behavior (e.g., rules of the road) and as such
do not speak to intent—but in cyberspace, intent may be the primary
difference between a possibly prohibited act, such as certain kinds of

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

TENSIONS BETWEEN CYBERSECURITY AND OTHER POLICY CONCERNS 111

-
ing in a multilateral way various nations’ views about the nature of cyber
weapons, cyberspace, offensive operations, and so on could promote
greater mutual understanding among the parties involved.
-
tively refute, even in principle, the possibility of meaningful arms control
agreements in cyberspace is open to question today. What is clear is that
progress in cyber arms control, if it is feasible at all, is likely to be slow.

5.4.4 Managing the Global Supply Chain for Information Technology

China play major roles in the IT industry, and Ireland, Israel, Korea,

traces possible origins for some components of a laptop computer.) Inte-

grated circuits at the heart of a product might be designed and devel-
oped in the United States, fabricated in Taiwan, and incorporated into a

TABLE 5.1 Supply-Chain Geography—An Illustration

Component of
Laptop Computer Location of Facilities Potentially Used by Supplier(s)
Liquid crystal display
Slovac Republic, South Korea, Taiwan

Memory
Puerto Rico, Singapore, South Korea, Taiwan, United
States

Processor Canada, China, Costa Rica, Ireland, Israel, Malaysia,

Singapore, United States, Vietnam

Motherboard Taiwan

Hard disk drive

Singapore, Thailand, United States

National Security-Related Agencies Need to

Better Address Risks,
at http://www.gao.gov/products/GAO-12-361.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

112 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

product assembled from components supplied from around the world.

Similar considerations apply to software—and software is important to
any device, component, system, or network.
The global nature of the IT supply chain raises concerns that foreign
suppliers may be subject to pressures from their governments to manipu-
late the supply of critical components of IT systems or networks or, even
worse, introduce substandard, faulty, counterfeit, or deliberately vulner-
able components into the supply chain. U.S. users of these components,
which include both commercial and government entities, would thus be
using components that weakened their cybersecurity posture.

of the components it provides employ a number of strategies, sometimes

in concert with each other:18

• Using trusted suppliers. Such parties must be able to show that they
have taken adequate measures to ensure the dependability of the com-
ponents they supply or ship. Usually, such measures would be regarded
as “best practices” that should be taken by suppliers whether they are
foreign or domestic.
• Diversifying suppliers. The use of multiple suppliers increases the

• Reducing the time between choosing a supplier and taking possession

of the components provided. A shorter interval reduces the window within

• Testing components. Components can be tested to ensure that they

rule, testing can indicate only the presence of a problem—not its absence.
Thus, testing generally cannot demonstrate the presence of unwanted
(and hostile) functionality in a component, although testing may be able
to provide evidence that the component does in fact perform as it is sup-
posed to perform.

The strategies described above address some of the important process

and performance aspects of ensuring the integrity of the IT supply chain.
But implementing these strategies entails some cost, and many of the
most stringent strategies (e.g., self-fabrication of integrated circuit chips)

18 National Institute of Standards and Technology, “NIST Special Publication 800-

2010, available at http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

TENSIONS BETWEEN CYBERSECURITY AND OTHER POLICY CONCERNS 113

fair to say that the risk associated with corruption in the supply chain can
be managed and mitigated to a certain degree—but not avoided entirely.

5.4.5 Role of Offensive Operations in Cyberspace

Policy regarding the use of offensive operations in cyberspace is gen-

can be conducted for cyber defensive purposes and also for other purpos-
es.19 Furthermore, according to a variety of public sources, policy regard-
ing offensive operations in cyberspace includes the following points:

• The United States would respond to hostile acts in cyberspace as it

would to any other threat to the nation, and reserves the right to use all
necessary means—diplomatic, informational, military, and economic—as
appropriate and consistent with applicable international law, in order to
defend the nation, its allies, its partners, and its interests.20
• The laws of war apply to cyberspace,21 and because the United
States has made a commitment to behaving in accordance with these laws,

to the laws of war.

• Offensive operations in cyberspace offer “unique and unconven-
tional capabilities to advance U.S. national objectives around the world
with little or no warning to the adversary or target and with potential
effects ranging from subtle to severely damaging.”22
• Offensive operations likely to have effects in the United States
23

• Cyber operations, including offensive operations, that are likely to

against the United States; damage to property; serious adverse foreign

policy or economic impacts) require presidential approval.24

19 National Research Council, Technology, Policy, Law, and Ethics Regarding U.S. Acquisition

and Use of Cyberattack Capabilities, The National Academies Press, Washington, D.C., 2009.
20 White House, International Strategy for Cyberspace—Prosperity, Security, and Openness

in a Networked World, May 2011, available at http://www.whitehouse.gov/sites/default/

21

Inter-Agency Legal Conference, Ft. Meade, Md., September 18, 2012, available at http://
opiniojuris.org/2012/09/19/harold-koh-on-international-law-in-cyberspace/.
22 Robert Gellman, “Secret Cyber Directive Calls for Ability to Attack Without Warning,”

Washington Post
23 Gellman, “Secret Cyber Directive Calls for Ability to Attack Without Warning,” 2013.
24 Glenn Greenwald and Ewen MacAskill, “Obama Orders U.S. to Draw Up Over-

seas Target List for Cyberattacks,” The Guardian

theguardian.com/world/2013/jun/07/obama-china-targets-cyber-overseas.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

114 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

However, despite public knowledge of these points, the United States

has not articulated publicly a military doctrine for how cyber capabili-
ties might be used operationally. (As a notable point of comparison, U.S.
approaches to using nuclear weapons were publicly discussed during the
Cold War.)
A particularly important question about the use of offensive cyber

especially in the nuclear domain, are unlikely to apply to escalation

dynamics in cyberspace because of the profound differences between the

the fact that attribution is much more uncertain, the ability of nonstate

a multitude of states that have nontrivial capabilities to conduct cyber

operations.
Last, the fact that the Department of Defense is willing to consider
undertaking offensive operations in cyberspace as part of defending its
own systems and networks raises the question of whether offensive oper-
ations might be useful to defend non-DOD systems, and in particular to
defend entities in the private sector. Today, a private-sector entity that
is the target of hostile actions in cyberspace can respond to such threats

its defensive posture, and it can seek the assistance of law enforcement
authorities to investigate and to take action to mitigate the threat.
Although both of these responses (if properly implemented) are
helpful, their effectiveness is limited. Tightening security often reduces
important functionality in the systems being locked down—they become

posture is also costly. Law enforcement authorities can help, but they
cannot do so quickly and the resources they can bring to bear are usually
overwhelmed by the demands for their assistance.
A number of commentators and reports have suggested that a more
aggressive defensive posture—that is, an active defense—is appropriate
under some circumstances.25 Such an approach, especially if carried out

25 -
Washington Post, February 27, 2012, available at http://www.washington
post.com/blogs/checkpoint-washington/post/active-defense-at-center-of-debate-on-

Hackers, Firms Salting Their Servers with Fake Data,” Washington Post
available at http://www.washingtonpost.com/world/national-security/to-thwart-

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

TENSIONS BETWEEN CYBERSECURITY AND OTHER POLICY CONCERNS 115

by the targeted private-sector entities, raises a host of technical, legal, and

policy issues.
A U.S. policy that condones aggressive self-help might serve as a
deterrent that reduces the cyber threat to private-sector entities. Alter-
natively, it might encourage a free-for-all environment in which any
-
ing offensive operations against the alleged offender. This debate is not
likely to be settled soon.

d1ce6d0ed278_story.html; David E. Sanger and Thom Shanker, “N.S.A. Devises Radio

Pathway into Computers,” New York Times
nytimes.com/2014/01/15/us/nsa-effort-pries-open-computers-not-connected-to-internet.
html; and Thom Shanker, “U.S. Weighs Its Strategy on Warfare in Cyberspace,” New York
Times, October 19, 2011, available at http://www.nytimes.com/2011/10/19/world/africa/
united-states-weighs-cyberwarfare-strategy.html.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

Findings and Conclusion

6.1 FINDINGS
Finding 1. Cybersecurity is a never-ending battle. A permanently
decisive solution to the problem will not be found in the foresee-
able future.

For the most part, cybersecurity problems result from the inherent
-
nology systems, and human fallibility in making judgments about what
actions and information are safe or unsafe from a cybersecurity perspec-

None of these factors is likely to change in the foreseeable future, and thus
there are no silver bullets—or even combinations of silver bullets—that
can “solve the problem” permanently.
In addition, threats to cybersecurity evolve. As new defenses emerge
to stop older threats, intruders adapt by developing new tools and tech-
niques to compromise security. As information technology becomes more
ubiquitously integrated into society, the incentives to compromise the
security of deployed IT systems grow. As innovation produces new infor-
mation technology applications, new venues for criminals, terrorists, and
other hostile parties also emerge, along with new vulnerabilities that
-
ple with access to cyberspace multiplies the number of possible victims
and also the number of potential malevolent actors.
-

116

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

FINDINGS AND CONCLUSION 117

an ongoing process rather than something that can be done once and
then forgotten. Adversaries—especially at the high-end part of the threat
spectrum—constantly adapt and evolve their intrusion techniques, and
the defender must adapt and evolve as well.
These comments should not be taken to indicate a standstill in the

products in response to end-user concerns over security. Many of today’s

products are by many measures more secure than those that preceded
-
cantly. And public awareness is greater than it was only a few years ago.
Without these efforts, the gap between cybersecurity posture and threat

with the concurrent rise in the use of IT throughout society.

Ultimately, the relevant policy question is not how the cybersecurity
problem can be solved, but rather how it can be made manageable. Soci-

drug abuse, and so on are rarely “solved” or taken off the policy agenda
-

so decisively that they will never reappear—and the same is true for
cybersecurity.

Finding 2. Improvements to the cybersecurity posture of individu-

value in reducing the loss and damage that may be associated with
cybersecurity breaches.

If an adversary has the resources to increase the sophistication of its

attack and the motivation to keep trying even after many initial attempts
fail, it is natural for users to wonder whether it makes sense to bother to

deployed is surely a recipe for inaction that leaves one vulnerable to many
lower-level threats.
The value of defensive measures is found in several points:

• Malevolent actors need some time to adapt to defensive measures.

During this time, the victim is usually more secure than if no defensive
measures had been taken.
• A target often has multiple adversaries, not just one. Even if it is
true that adversary A will adapt to new defenses that are raised against
A, adversaries B, C, and D may try the same kinds of techniques and tools

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

118 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

that A originally used—these efforts by B, C, and D are likely to be less

successful against the target.
•

acts as a deterrent of harmful actions.

• Unsuccessful attempts to compromise system security cost the
adversary time—and an adversary who works more slowly poses less of

adversary may help to prevent him from being able to access everything
on the targeted system.
• A well-defended target is usually less attractive to malevolent

if a malevolent actor’s objectives do not call for compromising that spe-

• Certain defensive measures may provide opportunities for the

victim to gather intelligence on an intruder’s methods and tactics.
• Other defensive measures may enable the victim to know of the
adversary’s presence and activities, even if the victim is not entirely suc-
cessful in thwarting the adversary’s efforts.

For all of these reasons, efforts to improve cybersecurity postures

Finding 3. Improvements to cybersecurity call for two distinct kinds

of activity: (a) efforts to more effectively and more widely use what
is known about improving cybersecurity, and (b) efforts to develop
new knowledge about cybersecurity.

The current U.S. national cybersecurity posture—as it actually is—is

determined by knowledge that we have and that we actually use to build
a posture that is as robust as we can make it. The gap in security between
our national cybersecurity posture and the cyber threat has two essential
parts.

posture could be if currently known best cybersecurity practices and tech-

nologies were widely deployed and used. Illustrative of things that we
know but ignore or have forgotten about, the Part 1 gap is in some sense
the difference between the average cybersecurity posture and the best
cybersecurity posture possible with known best practices and technolo-

cybersecurity postures that are not the best. The second part—Part 2—is
the gap between the strongest posture possible with known practices and

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

FINDINGS AND CONCLUSION 119

Part 1 gap were fully closed, the resulting cybersecurity posture would

especially the high-end threat.

the development of entirely new approaches to cybersecurity—is the

focus of traditional cybersecurity research. A properly responsive research
program is broad and robust, and it addresses both current and pos-
sible future threats. Knowledge about new cybersecurity technologies,

strengthen defenses against an ever-evolving threat. Attending to Part 2

that increases the ability to respond quickly in the future when threats
unknown today emerge.
Note that the Part 1 gap is primarily nontechnical in nature (requir-
ing, e.g., research relating to economic or psychological factors regarding
the use of known practices and techniques, enhanced educational efforts
to promote security-responsible user behavior, and incentives to build
-
ing the Part 1 gap does not require new technical knowledge of cyberse-

Research is thus needed to understand how better to promote deployment

and use of such knowledge. By contrast, Part 2 of the cybersecurity gap
is the domain where new technologies and approaches are primarily rel-

Finding 4. Publicly available information and policy actions to date

States as a nation.

In 2007, a National Research Council report titled Toward a Safer and

More Secure Cyberspace called for policy makers to “create a sense of
urgency about the cybersecurity problem commensurate with the risks”
(p. 229). The report argued that the necessary sense of urgency might be
motivated by making publicly available a greater amount of authorita-
tive information about cybersecurity problems and threats and also by

end-user attention on the short-term costs of improving their cybersecu-

rity postures.
In the period since that report was issued, the cybersecurity issue has
received increasing public attention, and even more authoritative infor-
mation regarding cybersecurity threats is indeed available publicly. But all

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

120 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

too many decision makers still focus on the short-term costs of improving

-
more, little has been done to harness market forces to address matters
related to the cybersecurity posture of the nation as a whole.

A culture of security would pervade the entire life cycle of IT sys-

tems operations, from initial architecture, to design, development, testing,
deployment, maintenance, and use. Such a culture would entail, among
other things, collaboration among researchers; effective coordination and
information sharing between the public and the private sector; the cre-

state of the art; the broad-based education of developers, administrators,

and users that would make security-conscious practices second nature,

make it easy and intuitive for developers and users to “do the right
thing”; the employment of business drivers and policy mechanisms to
facilitate security technology transfer and diffusion of R&D into com-
mercial products and services; and the promotion of risk-based decision
making (and metrics to support this effort).
Consider what such a culture might mean in practice:

• Developers and designers of IT products and services would use

design principles that build security into new products and services, and
that focus on security and attack resilience as well as performance and
functionality.
• Security would be an integral part of the initial designs for future
secure and attack-resilient computer architectures, and it would be inte-
grated into every aspect of the hardware and software design life cycles
and research agendas.
•

user mistakes and malicious adversaries.

• Security features would be much simpler to use than they are
today.
• Designers and developers would assume that systems are insecure
until evidence suggests their resistance to compromise.
• End users would be aware of security matters and diligent in their
efforts to promote security.
•
high degree of security awareness is the norm, would be willing to accept
-

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

FINDINGS AND CONCLUSION 121

tional goals in order to improve their cybersecurity postures, and would

• Policy makers would be willing to make decisions about tradeoffs

those decisions to the nation.

As for market forces and cybersecurity, private-sector entities will

today’s business cases. In the absence of a market for a higher level of

security, vendors will also not provide such security. Accordingly, if the
nation’s cybersecurity posture is to be improved to a level that is higher
than the level to which today’s market will drive it, the market calculus

altered somehow, and the business cases for the security of these organi-

Finding 5. Cybersecurity is important to the United States, but the

imperatives of cybersecurity. Tradeoffs are inevitable and will have

to be accepted through the nation’s political and policy-making
processes.

proliferation and terrorism or to rebalancing U.S. military forces to focus

nuclear weapons at Hiroshima in 1945,1 one critical difference is that the

use of a nuclear weapon provides a very important threshold—there is no
sense in which the use of even a single nuclear weapon could be regarded

anywhere in the world, especially one that does damage, is unambigu-

1 Van-
ity Fair, April 2011, available at http://www.vanityfair.com/culture/features/2011/04/
The Atlantic,
March 4, 2011, available at http://www.theatlantic.com/technology/archive/2011/03/
-
Christian Science Monitor, September 22, 2011,
available at http://www.csmonitor.com/ USA/2011/0922/From-the-man-who-discovered-

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

122 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

ously detectable. By contrast, cyberattacks are often conducted, not nec-

essarily with government sponsorship or approval (although sometimes

also occurs on a large scale, often with no one noticing.

But the likelihood of the detonation of a nuclear weapon on U.S. soil
is much lower than that of a cyberattack on the United States. So is the
nuclear issue, which is more consequential but less likely compared to

relations as well, given that the United States usually has many interests

very large scale. But China is also the largest single holder of U.S. debt
and one of the largest trading partners of the United States. China is the

States and China are arguably the most important nations regarding the
mitigation of global climate change. And this list goes on. What is the
-

common interests with Russia are different.

The need to manage multiple common interests with China or Russia
or any other nation generally requires policy makers to make tradeoffs—
pursuing one item on the agenda less vigorously in order to make prog-
ress on another item. Moreover, making such tradeoffs almost always
results in domestic winners and losers, a fact that makes the losers very
unhappy and increases their incentives to make their unhappiness known.
Nor is the competition for policy-maker attention limited to national
security and foreign relations. Domestic concerns about unemployment,
access to health care, and climate change are also important to the nation,
and who is to say whether cybersecurity is a more important problem for

In an environment of many competing priorities, reactive policy mak-

ing is often the outcome. It is an unfortunate fact of policy and politics
that tough decisions are often deferred in the absence of a crisis that forces
policy makers to respond. (The same can be true in the private sector as
well.) Support for efforts to prevent a disaster that has not yet occurred
is typically less than support for efforts to respond to a disaster that has
already occurred.

or few attempts have yet been made to compromise the cybersecurity

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

FINDINGS AND CONCLUSION 123

of application X
justifying why immediate attention and action to improve the cybersecu-
rity posture of application X can be deferred or studied further. Reactive

discounting of future events but has many other causes as well.

Progress in cybersecurity policy has also stalled at least in part because

we also want a private sector that innovates rapidly, and the convenience
of not having to worry about cybersecurity, and the ability for applica-
tions to interoperate easily and quickly with one another, and the right to
no diminution of our civil liberties, and so on.
But the tradeoffs between security and these other national interests

case entail sharper and starker tradeoffs than are necessary and that the

Indeed, proposals may be developed that may advance both interests

posture for the nation might also provide better protection for intellectual
property, thereby enhancing the nation’s capability for innovation. More
usable security technologies or procedures could provide better security
and also increase the convenience of using information technology.
Nonetheless, irreconcilable tensions will sometimes be encountered.
At that point, policy makers will have to confront rather than side-
step those tensions, and honest acknowledgment and discussion of the
tradeoffs (e.g., a better cybersecurity posture may reduce the nation’s
innovative capability, may increase the inconvenience of using informa-
tion technology, may reduce the ability to collect intelligence) will go a
long way toward building public support for a given policy position.

Finding 6. The use of offensive operations in cyberspace as an

instrument to advance U.S. interests raises many important techni-

the U.S. government.

As noted in Chapter 5, it is a matter of public record that the United

States possesses offensive capabilities in cyberspace, including capabili-

established U.S. Cyber Command as an entity within the Department of

Defense that

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

124 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

information networks and prepare to, and when directed, conduct full
spectrum military cyberspace operations in order to enable actions in all
domains, ensure US/Allied freedom of action in cyberspace and deny
the same to our adversaries.2

The United States has publicly stated that it does not collect intel-
ligence information for the purpose of enhancing the competitiveness or
business prospects of U.S. companies. And it has articulated its view that
established principles of international law—including those of the law of

But beyond these very general statements, the U.S. government has
placed little on the public record, and there is little authoritative informa-
tion about U.S. offensive capabilities in cyberspace, rules of engagement,
-
ties within the Department of Defense and the intelligence community,
and a host of other topics related to offensive operations.

discussed at length. But a full public discussion of issues in these areas has

thinking on these issues highly opaque. Such opacity has many undesir-
able consequences, but one of the most important consequences is that the
role offensive capabilities could play in defending important information
technology assets of the United States cannot be discussed fully.
What is sensitive about offensive U.S. capabilities in cyberspace is

(rather than the nature of that technology itself); fragile and sensitive

-
ticular vulnerability, a particular operational program); or U.S. knowledge

-
vides a generally reasonable basis for understanding what can be done
and for policy discussions that focus primarily on what should be done.

6.2 CONCLUSION

limited to computer science and information technology, psychology, eco-

2Fact sheet on U.S. Cyber Command, available at http://www.stratcom.mil/

factsheets/2/Cyber_Command/, accessed March 8, 2014.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

FINDINGS AND CONCLUSION 125

decision sciences, international relations, and law. In practice, although

technical measures are an important element, cybersecurity is not primar-
ily a technical matter, although it is easy for policy analysts and others
to get lost in the technical details. Furthermore, what is known about
cybersecurity is often compartmented along disciplinary lines, reducing

This primer seeks to illuminate some of these connections. Most of all,

it attempts to leave the reader with two central ideas. The cybersecurity
problem will never be solved once and for all. Solutions to the problem,
limited in scope and longevity though they may be, are at least as much
nontechnical as technical in nature.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

Committee Members and Staff

COMMITTEE MEMBERS
DAVID CLARK, Chair, is a senior research scientist at the MIT Computer

receiving his Ph.D. there in 1973. Since the mid-1970s, Clark has been
leading the development of the Internet; from 1981 to 1989 he acted as
chief protocol architect in this development, and he chaired the Internet
-
tural underpinnings of the Internet and at the relationship of technology
and architecture to economic, societal, and policy considerations. He is

Design program. Clark is past chair of the Computer Science and Tele-
communications Board of the National Research Council and has contrib-
uted to a number of studies on the societal and policy impact of computer
communications. He is co-director of the MIT Communications Futures
program, a project for industry collaboration and coordination along the
communications value chain.

THOMAS BERSON is founder and president of Anagram Laboratories

and a visiting scholar at Stanford University. He has been a researcher

Valley entrepreneur three times. He is attracted most strongly to security

Art of War and its applicability to modern

129

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

130 AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY

the International Association for Cryptologic Research. His citation reads,

“For visionary and essential service and for numerous valuable contribu-
tions to the technical, social, and commercial development of cryptology
and security.” Berson was an editor of the Journal of Cryptology for 14
years. He is a past chair of the IEEE Technical Committee on Security and
Privacy and a past president of the International Association for Cryp-
tologic Research. Berson has been a member of three previous National
Research Council committees: the Committee on Computer Security in
the Department of Energy, the Committee to Review DoD C4I Plans and
Programs, and the Committee on Offensive Information Warfare. Berson

and a Ph.D. in computer science from the University of London in 1977.

He was a visiting fellow in mathematics in the University of Cambridge,
and he is a life member of Clare Hall, Cambridge. Berson’s Erdös number
is 2; his amateur radio call sign is ND2T.

Council of Advisors on Science and Technology (PCAST) in May 2013,

after a decade combining academic leadership at Georgetown University
with research and advisory activities (including as a RAND adjunct)
aimed at understanding Internet and cybersecurity technology trends and
policy implications. She stewards the council and its program of analyses
(spanning science and technology) that culminate in policy recommen-
dations to the President and the Administration. In fall 2013, PCAST
published Immediate Opportunities for Strengthening the Nation’s Cybersecu-
rity. Blumenthal joined Georgetown University in August 2003 as associ-
ate provost, academic, engaging in campus-wide strategy and oversee-
ing academic units and special initiatives. She led efforts to strengthen
Georgetown sciences (culminating in the 2012 opening of a new science
building and launch of a new computer science Ph.D. program), and
she promoted innovation in teaching, launching Online@GU and co-
developing the Initiative for Technology-Enhanced Learning. Between

Research Council’s Computer Science and Telecommunications Board

(CSTB). Several of the more than 60 reports produced with her leader-
ship affected public policy and/or became trade books. Her cybersecurity
Computers at Risk. Blumenthal did her
undergraduate work at Brown University and received her M.S. in public
policy at Harvard University.

1 Ms. Blumenthal resigned from the committee on May 1, 2013.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

APPENDIX A 131

STAFF
HERBERT S. LIN is chief scientist at the Computer Science and Telecom-
munications Board, National Research Council of the National Academies,
where he has been the study director of major projects on public policy
and information technology. These projects include a number of studies
related to cybersecurity: Cryptography’s Role in Securing the Information
Society (1996); Realizing the Potential of C4I: Fundamental Challenges (1999);
Engaging Privacy and Information Technology in a Digital Age (2007); Toward
a Safer and More Secure Cyberspace (2007); Technology, Policy, Law, and Eth-
ics Regarding U.S. Acquisition and Use of Cyberattack Capabilities (2009); and
Proceedings of a Workshop on Deterring Cyberattacks: Informing Strategies and
Developing Options (2010). Prior to his NRC service, he was a professional
staff member and staff scientist for the House Armed Services Committee
(1986-1990), where his portfolio included defense policy and arms control
issues. He received his doctorate in physics from MIT.

ERIC WHITAKER is a senior program assistant at the Computer Science

and Telecommunications Board of the National Research Council. Prior to
joining the CSTB, he was a realtor with Long and Foster Real Estate, Inc.,
in the Washington, D.C., metropolitan area. Before that, he spent several

associate in the Corporate Support Department. He has a B.A. in com-

munication from Hampton University.

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

Bibliography

This bibliography lists the reports from the National Research Coun-
cil’s Computer Science and Telecommunications Board from which this
report takes much of its material. All were published by and are available
from the National Academies Press, Washington, D.C.

Chapter 1
• Computers at Risk: Safe Computing in the Information Age (1991)
• Toward a Safer and More Secure Cyberspace (2007)

Chapter 2
• Computing the Future: A Broader Agenda for Computer Science and
Engineering (1992)
• Trust in Cyberspace (1999)
• Being Fluent with Information Technology (1999)
• The Internet’s Coming of Age (2001)
• Signposts in Cyberspace: The Domain Name System and Internet Navi-
gation (2005)

132

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

APPENDIX B 133

Chapter 3
• Toward a Safer and More Secure Cyberspace (2007)
• Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use
of Cyberattack Capabilities (2009)

Chapter 4
• Cryptography’s Role in Securing the Information Society (1996)
• Who Goes There? Authentication Through the Lens of Privacy (2003)
• Toward a Safer and More Secure Cyberspace (2007)
• Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use
of Cyberattack Capabilities (2009)
• Toward Better Usability, Security, and Privacy of Information Technol-
ogy: Report of a Workshop (2010)
• Letter Report from the Committee on Deterring Cyberattacks: Informing
Strategies and Developing Options for U.S. Policy (2010)

Chapter 5
• Toward a Safer and More Secure Cyberspace (2007)
• Engaging Privacy and Information Technology in a Digital Age (2007)
• Assessing the Impacts of Changes in the Information Technology R&D
Ecosystem: Retaining Leadership in an Increasingly Global Environment
(2009)
• Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use
of Cyberattack Capabilities (2009)

Chapter 6
• Toward a Safer and More Secure Cyberspace (2007)
• Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use
of Cyberattack Capabilities (2009)

Copyright © National Academy of Sciences. All rights reserved.

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

Copyright © National Academy of Sciences. All rights reserved.

Classifying Cyber Events: A
Proposed Taxonomy
By Charles Harry, PhD, and Nancy Gallagher, PhD

CISSM Working Paper

February 2018

Center for International and Security Studies at Maryland

4113 Van Munching Hall, School of Public Policy
University of Maryland
College Park, MD 20742
(301) 405-7601
Abstract

Publicity surrounding the threat of cyber-attacks continues to grow, yet immature classification
methods for these events prevent technical staff, organizational leaders, and policy makers from
engaging in meaningful and nuanced conversations about the risk to their organizations or
critical infrastructure. This paper provides a taxonomy of cyber events that is used to analyze
over 2,431 publicized cyber events from 2014-2016 by industrial sector. Industrial sectors vary
in the scale of events they are subjected to, the distribution between exploitive and disruptive
event types, and the method by which data is stolen or organizational operations are disrupted.
The number, distribution, and mix of cyber event types highlight significant differences by
sector, demonstrating that strategies may vary based on deeper understandings of the threat
environment faced across industries.

Classifying Cyber Events: A Proposed Taxonomy 2

Introduction

Network security is increasingly recognized as a strategic vulnerability as a growing number of

corporate intrusions are reported. These breaches can affect customer privacy, confidence in a
company’s ability to protect core intellectual property, and essential operations. Large numbers
of intrusions have also occurred into government networks, with recent high-profile breaches
including a significant compromise at the Office of Personal Management (OPM) and at the
credit monitoring service Equifax.

As the private and public sectors grapple with the problem of cyber events, disagreement
remains regarding what can and should be done. Technical solutions, organizational resiliency,
employee education, and improvements in system controls are among many options to reduce
risk. Yet, they are rarely evaluated as part of a strategic approach for addressing diverse threats,
which vary by industry.

Confusion about threats and response options originates in part from imprecision in how we
categorize and measure the range of disruptive cyber events. By failing to recognize the
distinctions between specific forms of attack, the effects they produce on the targeted networks,
the financial strain they place on the targeted organizations, or their broader effects on society,
this confusion leads to the misallocation of resources.

This paper provides a new taxonomy that expands on earlier work by the author and colleagues
to classify cyber incidents by the range of disruptive and exploitative effects produced. It applies
the taxonomy in a sector-based analysis of 2,431 publicized cyber events from 2014-2016. It
finds some striking differences across industries in the scale, method of attack, and distribution
of effect. Government and Professional Services face the largest number of attacks. Governments
experience a mix of disruptive and exploitive events, whereas retail and hotel operators primarily
face exploitive attacks. These findings highlight the need for deeper analysis by sector to assess
the risk for specific organizations and critical infrastructure. They also suggest the importance of
tailoring risk mitigation strategies to fit the different threat environments in various sectors.

Cyber Taxonomies

A confusing array of cyber threat classification systems have been proposed over the past two
decades. Some are based on different phases of the hacking process, while others focus on
specific targets. For example, de Bruijne et al (2017) has created a classification of actors and
methods, whereas Gruschka (2010) develops a taxonomy of attacks against cloud systems. Other
classification approaches focus on specific techniques, such as Distributed Denial of Service or
DDoS attacks (Mirkovic 2004); specific targets, such as browsers (Gaur 2015); or particular IT
capabilities, such as industrial control systems (Zhu 2017) and smart grids (Hu 2014).

Few taxonomies in the information security literature seek to classify events by impact on the
target, the key question for risk assessment. Only two (Howard 1998) and (Kjaerland 2005)
directly propose categories of the effect to the victim. Others including Hansman (2005) focus on

Classifying Cyber Events: A Proposed Taxonomy 3

the attack vector, vulnerabilities, and exploits, while incorporating Howard’s work on effect
categories as part of their broader classification system.

Howard’s widely cited taxonomy includes classification methods for attackers, objectives, tools,
access, and impact. He divides the impact of cyber activity, described as the “unauthorized
results,” into five categories: Corruption of Data, Disclosure of Information, Denial of Service,
Increased Access, and Theft of Service.

Kjaerland (2005) classifies cyber effects differently and as belonging to one of four categories:
Disrupt, Distort, Destruct, and Disclosure. He develops these categories in concert with other
dimensions of analysis to evaluate the linkage between sector, actor, method, and target.

Both of these effect-based taxonomies fail to meet basic standards of a well-defined taxonomy
(Ranganathan 1957), including:

Exclusiveness - No two categories should overlap or should have the same scope and boundaries.

Ascertainability - Each category should be definitively and immediately understandable from its
name.

Consistency - The rules for making the selection should be consistently adhered to.

Affinity and Context - As you move from the top of the hierarchical classification to the bottom,
the specification of the classification should increase.

Currency - Names of the categories in the classification should reflect the language in the
domain for which it is created.

Differentiation -When differentiating a category, it should give rise to at least two subcategories

Exhaustiveness - The classification should provide comprehensive coverage to the domain of

interest.

Howard’s taxomony fails the exhaustiveness requirement because some important and
increasingly common types of cyber events do not fit any of its categories. Examples of these
omissions include attacks on Supervisory Control and Data Acquisition (SCADA) systems, data
deletion resulting from the use of wiper viruses, or social media account hijacking and website
defacement.

The Howard taxonomy also fails the test of exclusivity by including two overlapping effects
categories: Increased Access and Theft of Resources. Most hackers seek greater access and
misuse system resources as a means to an end, not as the final result. Their ultimate goal is not
just access, but the illicit acquisition of information or the disruption of organizational services.
For example, if a hacker wanted to illicitly gain and disseminate information about a company,
they would first obtain unauthorized use of a specific computer or network. Using Howard’s

Classifying Cyber Events: A Proposed Taxonomy 4

categorization of that activity we would have to define a hack of a company database as both a
Theft of Resources as well as a Disclosure of Information event type.

Kjaerland’s classification system also fails important tests for a well-designed taxonomy. By
allowing the same event to be assigned to multiple categories, it violates the criteria of
exclusivity and consistency. For example, Kjaerland’s definition of Destruct notes that “Destruct
is seen as the most invasive and malicious and may include Distort or Disrupt.”

Kjaerland also fails the test of context by mixing impact classification (e.g. destruction of
information) with specific tactics or tools. For example, in his definition of Disrupt he classifies
use of a Trojan as a Disrupt event. However, a Trojan is a technique of hiding a malicious
program in another. That technique can cause many different types of effects depending on
whether it is used to steal or destroy information.

A New Taxonomy

This paper extends previous work (Harry 2015) (Harry & Gallagher 2017) to offer a new
taxonomy for classifying the primary effects on a target of any given cyber event.

I define a cyber event as the result of any single unauthorized effort, or the culmination of many
such technical actions, that engineers, through use of computer technology and networks, a
desired primary effect on a target. For example, if a hacker used a spearphish email to gain
access and then laterally moved through the network to delete data on five machines, that would
count as a single event type whose primary effect resulted in the destruction of data. This
encapsulation of hacker tactics and tradecraft into specification of the primary effect of those
actions is what I define as a cyber event.

In the risk assessment framework developed at the Center for International and Security Studies
at Maryland (CISSM), primary effects are the direct impacts to the target organization’s data or
IT-enabled operations. Cyber events can also cause secondary effects to the organization, such as
the financial costs of replacing equipment damaged in an attack, a drop in the organization’s
stock price, due to bad publicity from the attack, or a loss of confidence in the organization’s
ability to safeguard confidential data. And, they can cause second order effects on individuals or
organizations who rely on the targeted organization for some type of goods or services. These
could include effects on the physical environment, the supply chain, or even distortions an attack
might have on an individual’s attitudes, preferences, or opinion deriving from the release of
salacious information. While these are important areas to consider, they are outside of the scope
of this paper.

Any given cyber event can have one of two types of primary objectives: the disruption to the
functions of the target organization, or the illicit acquisition of information. An attacker might
disrupt an organization’s ability to make products, deliver services, carry out internal functions,
or communicate with the outside world in a number of ways. Alternatively, hackers may seek to
steal credit card user accounts, intellectual property, or sensitive internal communications to get
financial or other benefits without disrupting the organization’s operations.

Classifying Cyber Events: A Proposed Taxonomy 5

 Figure 1: Cyber Event Taxonomy

Disruptive Events

A malicious actor may utilize multiple tactics that have wildly different disruptive effects
depending on how an organization uses information technology to carry out its core functions.
For example, an actor could delete data from one or more corporate networks, deploy
ransomware, destroy physical equipment used to produce goods by manipulating Supervisory
Control and Data Acquisition (SCADA) systems, prevent customers from reaching an
organization’s website, or deny access to a social media account.

Disruptive effects can be classified into five sub-categories depending on the part of an
organization’s IT infrastructure that is most seriously impacted, regardless of what tactic or
techniques were used to accomplish that result. They are: Message Manipulation, External
Denial of Service, Internal Denial of Service, Data Attack, and Physical Attack.

Message Manipulation. Any cyber event that interferes with a victim’s ability to accurately
present or communicate its “message” to its user or customer base is a Message Manipulation
attack. These include the hijacking of social media accounts, such as Facebook or Twitter, or
defacing a company website by replacing the legitimate site with pages supporting a political
cause. For example, in 2015, ISIS affiliated hackers gained access to the YouTube and Twitter
accounts for US CENTCOM. The hackers changed the password, posted threatening messages to
U.S. Service members, and replaced graphics with ISIS imagery (Lamothe 2015). Similarly, in
2016, the website for the International Weightlifting Federation (IWF) was defaced after a
controversial decision to disqualify an Iranian competitor (Cimpanu 2016). Both events used
different tactics, but the primary effect on the targeted organization’s ability to interact with its
audience was the same.

Classifying Cyber Events: A Proposed Taxonomy 6

External Denial of Service. If an attacker executes a cyber-attack from devices outside the target
organization’s network that degrades or denies the victim’s ability to communicate with other
systems, it is classified as an External Denial of Service event. For example, the 2016 Mirai
botnet attack leveraged a compromised set of devices worldwide to overwhelm the DYN
corporation with domain name look-up requests, causing a number of major internet platforms
and services that rely on DYN’s services to stop functioning for many hours (Woolf 2016).
While there are many types of Distributed Denial of Service (DDoS) attacks (ICMP flood, SYN
flood, ping of death, etc.), any of those techniques would produce outcomes that fit the External
Denial of Service cyber event category.

Internal Denial of Service. When a cyber event executed from inside a victim’s network
degrades or denies access to other internal systems, it is an Internal Denial of Service attack. For
instance, an attacker who had gained remote access to a router inside an organization’s network
could reset a core router to factory settings so that devices inside the network could no longer
communicate with one another. The anti DDOS vendor Staminus apparently experienced such an
internal denial of service attack in 2016. It issued a public statement that “a rare event cascaded
across multiple routers in a system-wide event, making our backbone unavailable.” (Reza 2016).
An attacker using malware installed on a file server to disrupt data sent and received between
itself and a user workstation would achieve a similar effect.

Data Attack. Any cyber event that manipulates, destroys, or encrypts data in a victim’s network
is categorized as a Data Attack. Common techniques include the use of wiper viruses and
ransomware. Using stolen administrative credentials to manipulate data and violate its integrity,
such as changing grades in a university registrar’s database would also fit this category. For
example, in 2017 the mass deployment of the NotPeyta ransomware resulted in thousands of data
attack cyber events against individuals as well as to small, medium, and large businesses, with
one case costing the shipping firm Maersk over $200 million (Matthews 2017).

Physical Attack. A cyber event that manipulates, degrades, or destroys physical systems is
classified as a Physical Attack. Current techniques used to achieve this type of effect include the
manipulation of Programable Logic Controllers (PLC) to open or close electrical breakers or
utilize user passwords to access and change settings in a human machine interface to overheat a
blast furnace, causing damage to physical equipment. For example, in the December 2015 cyber-
attack on a Ukrainian utility, a malicious actor accessed and manipulated the control interface to
trip several breakers in power substations. This deenergized a portion of the electrical grid and
tens of thousands of customers lost power for an extended period of time (Lee et al 2016).

Exploitive Events

Some cyber events are designed to steal information rather than to disrupt operations. Hackers
may be seeking customer data, intellectual property, classified national security information, or
sensitive details about the organization itself. While the tactics or techniques used by malicious
actors may change regularly, the location from which they get that information does not. I define
five categories of an exploitive event below: Exploitation of Sensors, Exploitation of End Hosts,

Classifying Cyber Events: A Proposed Taxonomy 7

Exploitation of Infrastructure, Exploitation of Application Servers, and Exploitation of Data in
Transit.

Exploitation of Sensors. A cyber event that results in the loss of data from a peripheral device
like a credit card reader, automobile, smart lightbulb, or a network-connected thermostat is
categorized as an Exploitation of Sensor event. The attack on Eddie Bauer stores where hackers
gained access to hundreds of Point of Sale machines and systematically stole credit card numbers
from thousands of customers fits this category (Krebs 2016). Other examples include illicit
acquisition of technical, customer, personal, or organizational data from CCTV cameras, smart
TVs, or baby monitors.

Exploitation of End Hosts. Hackers often are interested in the data stored on user’s desktop
computers, laptops, or mobile devices. When data is stolen through illicit access to devices used
directly by employees of an organization or by private individuals it is categorized as an
Exploitation of End Host cyber event. Tactics used in this type of attack include sending a
malicious link for a user to click or leveraging compromised user credentials to log in to an
account.

Exploitation of Network Infrastructure. When data is compromised through direct access to

networking equipment such as routers, switches, and modems, the attack is classified as an
Exploitation of Network Infrastructure event. These types of events involve a hacker who,
through use of an exploit or credential compromise, gains direct access to the underlying
infrastructure. For example, a malicious actor who used a vulnerability in the CISCO IOS
operating system to steal configuration information from an organization’s core routing
infrastructure would engineer an Exploitation Network Infrastructure cyber event.

Exploitation of Application Server. Malicious actors who, through misconfiguration or

vulnerability, gain access to data contained in a server-side application (e.g. database) or on the
server itself would generate an Exploitation of Application Server event. A hacker using a SQL
injection to access millions of customer records or the direct access of an e-mail server with all
organizational correspondence would fit into this category. For instance, the compromise of data
in the Office of Personnel Management was the result of access by a malicious actor to a
database hosted on a server (Koerner 2016). Stealing the data required several steps and months
of work, but the event is classified by its ultimate outcome—loss of sensitive information from
central servers hosting large database applications.

Exploitation of Data in Transit. Hackers who acquire data as it is being transmitted between
devices cause Exploitation of Data in Transit events. Examples of this type of event include the
acquisition of unencrypted data as it is sent from a PoS device to a database or moved from an
end-user device through an unsecured wireless hotspot at a local coffee shop.

Classifying Cyber Events: A Proposed Taxonomy 8

Testing the Taxomony on Cyber Events 2014-2016

The best way to assess how well this classification system meets the criteria for a well-defined
taxonomy is to see whether it can be easily and unambiguously used to categorize all the events
in an extensive data set.

Unfortunately, there are no public datasets of cyber attacks that include a variety of cyber events
with a range of both exploitive and disruptive effects. Most public data repositories focus on
some types of events to the exclusion of others. The Privacy Rights Clearinghouse, for example,
has a dataset focused on domestic exploitive attacks, while the blog H-zone.org has a dataset
focused on website defacement attacks (a subset of Message Manipulation). Other datasets are
on privately maintained blogs and webpages. Some do not use a repeatable process to classify or
categorize by sector thereby limiting the range of analysis that can be applied. Others are
compiled from proprietary data or are only available for a steep fee.

To create a dataset that had the information needed to test the CISSM taxonomy, the author used
systematic web searches to identify cyber events that could be characterized by their effects.
Initial searches for generalized references to cyber attacks yielded 3,355 possible events that
were referenced by blogs, security vendor portals, or other English-language news sources from
January 2014 through December 2016.

Of the initial 3,355 candidate cyber events initially discovered, 2,431 were included in the
dataset (72%). Media reports about 909 of the candidate events were broad discussions of
malware campaigns or generalized discussions about threat actor plans and tactics. These were
excluded because they did not provide information on the primary effect to a specific victim.
Media reports about an additional 15 events specifically spoke to the tactics used by the threat
actor independent of the effect to the primary victim, so they were also discarded. For example,
one source discussed the use of compromised Amazon Web services credentials to access a
system but did not talk about what types of actions took place once in the target network.

In complex cases where the victim suffered multiple effects (e.g. website defacement and
DDoS), the dataset counts each effect as a separate, but overlapping, event registered to the
victim. Cyber events were coded to include date, event type, organization type (using the North
American Industrial Classification System (NAICS), a description of the event, and a link to the
source.

This dataset is not an exhaustive accounting of all cyber events during this period. It only
includes events for which there was a direct news source that was verifiable and that provided
some insight into the methods of the attack. The true population of malign cyber activity is
unknown because some significant events are kept secret and many other cyber incidents are too
trivial to warrant media attention. Nevertheless, this dataset includes a large enough number of
events for it to be useful for testing the taxonomy and making rough generalizations about
relative frequencies of different types of events in different sectors.

As discussed earlier, a well-designed taxonomy should, among other things, account for all the
items to be classified, clearly differentiate among categories, ensure that each item has a unique

Classifying Cyber Events: A Proposed Taxonomy 9

classification, and have clear rules that can be consistently applied. The CISSM cyber event
taxomony easily passed each test.

Each of the 2,431 events in the dataset could be coded as either Exploitive or Disruptive and
assigned to one of ten effect-based sub-categories in the CISSM taxonomy. This fulfills the
exhaustiveness requirement. Treating complex attacks in which multiple effects were achieved
by the hacker as a set of separate but overlapping events made it possible to apply the taxonomy
in a consistent manner, to differentiate between categories of effect, and to maintain clear
differentiation between the categorized effects. This analysis did not assess the taxonomy’s
currency, ascertainability, or affinity, because these standards should be judged by individual
users rather than the creator of the taxonomy.

Many cyber classification systems run into the same three major problems: Their inability to
distinguish between tactics and effects; their difficulty remaining relevant as threat actors change
and hacking techniques evolve; and their applicability to some types of IT systems, but not
others. The CISSM taxonomy disentangles stable categories of effects from the rapidly
advancing tactics employed by an ever-changing set of state and non-state hackers in a way that
can be applied to all IT systems in use today or envisioned for the future.

Using the Taxonomy to Analyze Cyber Events

Categorizing cyber events according to their effects rather than treating them as an
indistinguishable, but ever increasing, mass of “cyberattacks” yields a number of useful insights.
Of the 2,431 cyber events during the three-year period reviewed, over 70 percent (1,700) were
exploitive, whereas 30 percent (725) were disruptive. This ratio appears to relatively stable when
examining events on a yearly basis, too. Of the 633 events recorded in 2014, 67 percent (423)
were exploitive, and 33 percent (210) were disruptive. Of the 843 cyber events in 2015, 67
percent (563) were exploitive and 33 percent (280) were disruptive. And of the 955 events
recorded in 2016, 75 percent (714) were exploitive events, compared with 25 percent (241) that
were disruptive.

Of the 1,700 exploitative events, the two most common sub-categories are Exploitation of
Application Server events and Exploitation of End Host events. Ninety percent of all exploitive
events in the dataset fall into one of these two categories. This reflects the current popularity of
SQL injection attacks against web applications, and the heavy use of spearphising campaigns
against end users.

A much smaller percentage of exploitative attacks fall into the other three categories, most likely
because these types of events often require internal access, are inherently more difficult to pull
off, are not as well monitored, or are not as well publicized. Exploitation of Sensor events
represent only 5 percent of the exploitive events sample, probably because the value of data from
many of the devices in this category, like smart thermostats and baby monitors, might not be as
large as records from other sources. Whereas a ready market exists on the Dark Web for
customer data stolen from POS devices, most types of sensor data will not be of broad interest.

Classifying Cyber Events: A Proposed Taxonomy 10

The remaining 5 percent (90) of cyber events were divided between Exploitation of Network
Infrastructure (70 events) and Exploitation of Data in Transit (20 events). These events often
reflected the efforts of more skilled hackers who can leverage toeholds in networks to expand
internal access and acquire information either from network infrastructure such as file shares or
from unencrypted data passed internally through the network.

The 725 disruptive cyber events in the dataset follow a similar pattern with most activity falling
into categories that are generally less problematic. Ninety-six percent of all disruptive events are
either Message Manipulation (60 percent, 433) or External Denial of Service (36 percent, 263)
events. This events reflect efforts by malign actors using less sophisticated techniques to deface
websites that are vulnerable to external access and manipulation, weak passwords surrounding
social media accounts, or high levels of DDoS activity applied by actors against identified
targets.

The remaining 5 percent (29 events), are split between Internal Denial of Service (2 percent, 11
events), Data Attack (2 percent, 14 events), or Physical Attack (1 percent, 4 events). These types
of events involved internal networks, so they required more sophisticated access techniques or
malware leveraged to engineer the intended disruptive effects.

Sector Analysis for Cyber Events

While looking at a general breakdown of cyber

event type is useful, further analysis by sector
reveals interesting variation of effect between
industries. To conduct this analysis, the author
coded the 2,431 cyber events collected using the
North American Industrial Classification System
(NAICS), a hierarchical classification system
commonly used by the U.S. government and
industry to collect, analyze, and publish
information on the U.S. economy. The data set
likely reflects over or under sampling in some
industries and event types with specific state and
federal laws requiring the publication of cyber-
attacks with others not requiring the same
notification. For example, the State of
Maryland’s Personal Information Protection Act
imposes a 45-day notification requirement for
businesses to notify residents when their personal
data has been compromised, yet there is no such
requirement when a business’ website has been
defaced.
Figure 2: Share of all Cyber Events by Sector
An analysis of cyber event activity by sector
reveals three interesting themes. First, while

Classifying Cyber Events: A Proposed Taxonomy 11

most industry sectors are represented in the data, some appear to be targeted by malicious actors
more frequently. Second, the distribution between exploitive and disruptive event types varies by
sector, with some sector’s distribution diverging significantly from the overall average. Finally,
industrial sectors experience a range of event types, with some industries experiencing very
specific categories of effect while others being targeted for a broad range of effects.

In Figure 2, the level of cyber event activity in different sectors is ranked into three tiers—High,
medium, and low—to identify which sectors are currently most prone to the types of
cyberattacks that make it into the public record. Sectors that experience more than 15 percent of
all cyber events in our dataset fit into the highest tier. Government services and professional
services fall into this category; together, they account for 38 percent of all events recorded.

Medium-activity sectors include those that see at least 3.8 percent, but less than 15 percent, of
the events in the full dataset. Sectors falling into this tier include information services, education,
healthcare, finance, retail, entertainment, and accommodation services. The nine sectors in this
category experienced approximately 56.7 percent of the total number of cyber events, suggesting
that a larger breadth of industries is affected by significant numbers of cyber events.

The lowest activity tier includes sectors that had fewer than 3.8 percent of the total events. This
tier includes traditional industries that are less dependent on information technology than other
sectors of the modern economy, such as agriculture, mining, real estate, and construction. Two
sectors considered critical infrastructure—transportation and utilities—also fell into this tier.

In addition to the frequency of event activity, the nature of those effects is also an important
factor in assessing risk to specific sectors. In Figure 3, the percentage of total cyber events
characterized as exploitive is plotted versus the percentage that are disruptive in nature. Only the
ten sectors with the highest frequencies of cyber events are represented in the figure, as many of
the low tier sectors have too few observations to draw meaningful conclusions.

Figure 3: Exploitive vs Disruptive as a Share of Total Events for Top 10 Industry Sectors

Classifying Cyber Events: A Proposed Taxonomy 12

Among the industries that are represented, there appears to be significant differences in the
relative frequencies of exploitative versus disruptive events. For instance, the Retail and
Accommodation and Food Services sectors predominately experience exploitation events (>95
percent Exploitive) whereas the Government Services sector faces a broader mix of exploitation
and disruptive events (53 percent Exploitive, 47 percent Disruptive).

The only sectoral category where the relative frequency of exploitative and disruptive events is
roughly the same as in the entire data set (70 percent Exploitive, 30 percent Disruptive) is the
“other” category. The relative frequency within most sectors is significantly different from the
average distribution. This highlights the importance of assessing risks on a per industry basis
instead of applying general guidance about what types of cyber events are most common.

Lastly, the categories of cyber events are also found to vary between sectors. Table 1 highlights
all cyber events, by share, drawing out some interesting differences. For example, while
Accommodation and Food Services represent only 4.8 percent of all cyber events in the dataset,
that sector accounts for over 36 percent of all Exploitation of Sensor events, well above the
average rate of 3.8 percent. This observation draws attention to the heavy targeting by hackers of
PoS devices used by fast food restaurants and hotels. The same sector is under-represented for
Message Manipulation events. Only 3.4 percent of the events it experienced fell in this category,
compared to the average of 17.9 percent for all sectors.

Differences between sectors in the frequencies of different types of cyber events likely reflect
differences in attacker motivations, vulnerabilities, and benefits that can be obtained through
different types of exploitation of data disruption of key organizational services. For example,
Government Services suffers more Message Manipulation and External Denial of Service event
types, whereas it does not see many Application Server events. A review of specific incidents in
the dataset reveals a large number of attacks against websites aimed at promoting a political
message. These attacks are often exploiting misconfigurations and can be automated thereby
promoting larger numbers of events, whereas exploitation of applications might not occur as
often if the information exploited requires greater effort by the hacker to achieve their goals.

Conclusion

Having an easy-to-use taxonomy that provides an exclusive, exhaustive, and consistent way to
differentiate the primary effects of cyber activity will help organizational leaders and policy
makers have more sophisticated discussions about the different types of threats they face, and the
appropriate risk mitigation strategies. The taxonomy presented in this paper and the analysis of
three years of publicized cyber event data highlights variance in scale, effects, and method.
Differences in the types of disruptive or exploitive attacks directly inform organizational leaders
on both the range as well as concentration of effects they might face. By disentangling tactics
from effect this classification provides a first step in creating a framework by which
organizational leaders can categorize and assess the most consequential forms of cyber attack
they might face. Additional work to measure the impact of specific attacks would allow
organizations and governments to adequately plan for the types of threats they are most likely to

Classifying Cyber Events: A Proposed Taxonomy 13

face, and invest in the technology, training, and processes needed to defend against the most
consequential forms of attack.

Understanding the variation of effect by industry allows organizational leaders to be more

focused on defensive strategies, resiliency measures, or training programs that address specific
effects they are likely to face, rather than interpreting vague guidance by experts or by
purchasing technical solutions that might not be as useful for the threats they face.

About the author

Charles Harry is a senior leader, practitioner, and researcher with over 20 years of experience in
intelligence and cyber operations. Dr. Harry is the Director of Operations at the Maryland Global
Initiative in Cybersecurity (MaGIC), an Associate Research Professor in the School of Public
Policy, and a Senior Research Associate at CISSM.

Nancy Gallagher is the CISSM Director and a Research Professor at the School of Public Policy.

Classifying Cyber Events: A Proposed Taxonomy 14

 Table 1: Cyber Events by Type and Industry Sector

Classifying Cyber Events: A Proposed Taxonomy 15

References

Bedford, D. (2013) “Evaluating Classification Schema and Classification Decisions”. Bulletin of

the American Society for Information Science & Technology, Vol. 39 Issue 2, p13-21

Cimpanu C. (2016) “Iranian Hacker Defaces IWF Website Following Controversial Rio
Olympics Decision” Softpedia News http://news.softpedia.com/news/iranian-hackers-deface-
iwf-website-following-controversial-rio-olympics-decision-507436.shtml

Choo, K. (2011). “The cyber threat landscape: Challenges and future research directions”
Computers & Security, 30(8), 719-731. doi: http://dx.doi.org/10.1016/j.cose.2011.08.004

de Bruijne, M., van Eeten M., Ganan, C., Pieters, W. (2017). “Towards a New Cyber Threat
actor Topology: A Hybrid Method for the NCSC Cyber Security Assessment” Delft University
of Technology https://www.wodc.nl/binaries/2740_Volledige_Tekst_tcm28-273243.pdf

Filipkowski, W. (2008). “Cyber Laundering: An Analysis of Typology and Techniques”

International Journal of Criminal Justice Sciences, Vol 3, pgs 15-27

Gruschka, N., & Jensen, M. (2010). “Attack Surfaces: A Taxonomy for Attacks on Cloud
Services” Paper presented at the IEEE CLOUD

Hansman, S., Hunt R., (2005) “A taxonomy of network and computer attacks”. Computers and
Security, Vo.l 24 Issue 1, p 31-43

Harry, C. (2015) “A Framework for Characterizing Disruptive Cyber Activity and Assessing its
Impact”, Working Paper, Center for International and Security Studies at Maryland (CISSM),
University of Maryland

Harry C. & Gallagher N. (2017) “Categorizing and Assessing Severity of Disruptive Cyber
Events” Policy Brief, Center for International and Security Studies at Maryland (CISSM),
University of Maryland

Howard, J. and Longstaff, T. (1998) “A Common Language for Computer Security Incidents,”
Technical Report, Sandia National Laboratories

Jiankun H., Hemanshu R., and Song G. (2014) “Taxonomy of Attacks for Agent-Based Smart
Grids” IEEE Transactions on Parallel and Distributed Systems, Vol 25, No 7

Kjaerland, M., (2005) “A taxonomy and comparison of computer security incidents from the
commercial and government sectors”. Computers and Security, Vol 25 pgs 522–538.

Kjaerland M. (2005) “A classification of computer security incidents based on reported attack

data” Journal of Investigative Psychology and Offender Profiling. Vol 2, Issue 2 pgs 69-146

Classifying Cyber Events: A Proposed Taxonomy 16

Koerner, B. (2016) “Inside the Cyberattack that Shocked the US Government”, Wired, October
2016. https://www.wired.com/2016/10/inside-cyberattack-shocked-us-government/

Krebs, B. (2016) “Malware Infected All Eddie Bauer Stores in US and Canada”, Krebs on
Security, https://krebsonsecurity.com/2016/08/malware-infected-all-eddie-bauer-stores-in-u-s-
canada/

Lamothe, D “U.S military social media accounts apparently hacked by Islamic State
sympathizers” , http://www.washingtonpost.com/news/checkpoint/wp/2015/01/12/centcom-
twitter-account-apparently-hacked-by-islamic-statesympathizers/, Washington Post, January
2015.

Lee, R., Assante, M., Conway, T. (2016) “Analysis of the Cyber Attack on the Ukrainian Power
Grid”, Sans Institute,. https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf

Lough, D. (2001) “A Taxonomy of Computer Attacks with Applications to Wireless Networks,”

PhD thesis, Virginia Polytechnic Institute and State University

Matthews, L. (2017) “NotPeyta Ransomware Attack Cost Shipping Giant Maersk Over $200
Million”, Forbes https://www.forbes.com/sites/leemathews/2017/08/16/notpetya-ransomware-
attack-cost-shipping-giant-maersk-over-200-million/#40970b504f9a

Mirkovic, J., and Reiher, P. (2004) “A taxonomy of DDoS attack and DDoS defense
mechanisms” SIGCOMM Comput. Commun. Rev., Vol 34(2), pgs 39-53

Ranganathan, S. R. (1957). Prolegomena to library classification. London: The Library

Association

Rege-Patwardan, A. (2009). “Cybercrimes against critical infrastructures: a study of online

criminal organization and techniques”. Criminal Justice Studies, Vol 22(3), pgs 261-271.

Reza, Ali (2016) “Anti-DDoS firm Staminus hacked, private data posted on line” , Hack Read,
https://www.hackread.com/anti-ddos-firm-staminus-hacked-private-data-posted-online/

Saini, A. Gaur M.S, Laxmi V.S (2015) “A Taxonomy of Browser Attacks”, Handbook of
Research on Digital Crime, Cyberspace Security, and Information Assurance 2015 p. 291-313

Simmons, C., Ellis, C., Shiva, S., Dasgupta, D., & Wu, Q (2009). “AVOIDIT: A cyber attack
taxonomy". University of Memphis.

Woolf, N (2016) “DDoS attack that disrupted internet was the largest of its kind in history,
experts say.” Guardian https://www.theguardian.com/technology/2016/oct/26/ddos-attack-dyn-
mirai-botnet

Zetter, K. (2016) “Inside the Cunning Unprecedented Hack of Ukraine’s Power Grid”, Wired,
https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/

Classifying Cyber Events: A Proposed Taxonomy 17

Zhu, B. and Sastry, S. (2017) “SCADA-specific Intrusion Detection/Prevention Systems: A
Survey and Taxonomy”, Department of Electrical Computer and Security Engineering,
University of California at Berkeley. Berkeley, CA

Classifying Cyber Events: A Proposed Taxonomy 18

 A Brief History of the Internet

Barry M. Leiner* Vinton G. Cerf David D. Clark

Former Director Chief Internet Evangelist Senior Research Scientist
Research Institute for Advanced Google MIT
Computer Science

Leonard Kleinrock Daniel C. Lynch

Robert E. Kahn Professor of Computer Science Founder
President
UCLA CyberCash Inc, Interop
CNRI

Jon Postel* Larry G. Roberts Stephen Wolff

Chairman and CEO
Former Director Business Development Manager
Anagran, Inc
USC ISI Cisco

This article is an editorial note submitted to CCR. It has NOT been peer reviewed. The authors take full responsibility for this
article's technical content. Comments can be posted through CCR Online.

ABSTRACT world-wide broadcasting capability, a mechanism for information

dissemination, and a medium for collaboration and interaction
This paper was first published online by the Internet Society in between individuals and their computers without regard for
1
December 2003 and is being re-published in ACM SIGCOMM geographic location.
Computer Communication Review because of its historic import.
It was written at the urging of its primary editor, the late Barry The Internet represents one of the most successful examples of the
Leiner. He felt that a factual rendering of the events and activities benefits of sustained investment and commitment to research and
associated with the development of the early Internet would be a development of information infrastructure. Beginning with the
valuable contribution. The contributing authors did their best to early research in packet switching, the government, industry and
incorporate only factual material into this document. There are academia have been partners in evolving and deploying this
sure to be many details that have not been captured in the body of exciting new technology. Today, terms like
the document but it remains one of the most accurate renderings “bleiner@computer.org” and “http://www.acm.org” trip lightly
of the early period of development available. off the tongue of the random person on the street2.

Categories and Subject Descriptors This is intended to be a brief, necessarily cursory and incomplete
C.2.1 [Network Architecture and Design]: Packet-switching history. Much material currently exists about the Internet,
networks. covering history, technology, and usage. A trip to almost any
3
bookstore will find shelves of material written about the Internet .
General Terms
4
Design, Experimentation, Management. In this paper , several of us involved in the development and
evolution of the Internet share our views of its origins and history.
Keywords
Internet, History. 2 Perhaps this is an exaggeration based on the lead author's
residence in Silicon Valley.
1. INTRODUCTION 3 On a recent trip to a Tokyo bookstore, one of the authors
The Internet has revolutionized the computer and communications counted 14 English language magazines devoted to the Internet.
world like nothing before. The invention of the telegraph, 4 An abbreviated version of this article appears in the 50th
telephone, radio, and computer set the stage for this anniversary issue of the CACM, Feb. 97. The authors would like
unprecedented integration of capabilities. The Internet is at once a to express their appreciation to Andy Rosenbloom, CACM
Senior Editor, for both instigating the writing of this article and
* Deceased his invaluable assistance in editing both this and the abbreviated
version.
1 http://www.isoc.org/internet/history/brief.shtml

ACM SIGCOMM Computer Communication Review 22 Volume 39, Number 5, October 2009
This history revolves around four distinct aspects. There is the In late 1966 Roberts went to DARPA to develop the computer
technological evolution that began with early research on packet network concept and quickly put together his plan for the
switching and the ARPANET (and related technologies), and “ARPANET”, publishing it in 1967 [11]. At the conference where
where current research continues to expand the horizons of the he presented the paper, there was also a paper on a packet network
infrastructure along several dimensions, such as scale, concept from the UK by Donald Davies and Roger Scantlebury of
performance, and higher level functionality. There is the NPL. Scantlebury told Roberts about the NPL work as well as that
operations and management aspect of a global and complex of Paul Baran and others at RAND. The RAND group had written
operational infrastructure. There is the social aspect, which a paper on packet switching networks for secure voice in the
resulted in a broad community of Internauts working together to military in 1964 [1]. It happened that the work at MIT (1961-
create and evolve the technology. And there is the 1967), at RAND (1962-1965), and at NPL (1964-1967) had all
commercialization aspect, resulting in an extremely effective proceeded in parallel without any of the researchers knowing
transition of research results into a broadly deployed and available about the other work. The word “packet” was adopted from the
information infrastructure. work at NPL and the proposed line speed to be used in the
6
ARPANET design was upgraded from 2.4 kbps to 50 kbps .
The Internet today is a widespread information infrastructure, the
initial prototype of what is often called the National (or Global or In August 1968, after Roberts and the DARPA funded community
Galactic) Information Infrastructure. Its history is complex and had refined the overall structure and specifications for the
involves many aspects - technological, organizational, and ARPANET, an RFQ was released by DARPA for the
community. And its influence reaches not only to the technical development of one of the key components, the packet switches
fields of computer communications but throughout society as we called Interface Message Processors (IMP's). The RFQ was won
move toward increasing use of online tools to accomplish in December 1968 by a group headed by Frank Heart at Bolt
electronic commerce, information acquisition, and community Beranek and Newman (BBN). As the BBN team worked on the
operations. IMP's with Bob Kahn playing a major role in the overall
ARPANET architectural design, the network topology and
economics were designed and optimized by Roberts working with
2. ORIGINS OF THE INTERNET Howard Frank and his team at Network Analysis Corporation, and
The first recorded description of the social interactions that could the network measurement system was prepared by Kleinrock's
be enabled through networking was a series of memos written by team at UCLA7.
J.C.R. Licklider of MIT in August 1962 discussing his “Galactic
Network” concept [9]. He envisioned a globally interconnected set Due to Kleinrock's early development of packet switching theory
of computers through which everyone could quickly access data and his focus on analysis, design and measurement, his Network
and programs from any site. In spirit, the concept was very much Measurement Center at UCLA was selected to be the first node on
like the Internet of today. Licklider was the first head of the the ARPANET. All this came together in September 1969 when
5
computer research program at DARPA , starting in October 1962. BBN installed the first IMP at UCLA and the first host computer
While at DARPA he convinced his successors at DARPA, Ivan was connected. Doug Engelbart's project on “Augmentation of
Sutherland, Bob Taylor, and MIT researcher Lawrence G. Human Intellect” (which included NLS, an early hypertext
Roberts, of the importance of this networking concept. system) at Stanford Research Institute (SRI) provided a second
node. SRI supported the Network Information Center, led by
Leonard Kleinrock at MIT published the first paper on packet Elizabeth (Jake) Feinler and including functions such as
switching theory in July 1961 [6] and the first book on the subject maintaining tables of host name to address mapping as well as a
in 1964 [7]. Kleinrock convinced Roberts of the theoretical directory of the RFC's. One month later, when SRI was connected
feasibility of communications using packets rather than circuits, to the ARPANET, the first host-to-host message was sent from
which was a major step along the path towards computer Kleinrock's laboratory to SRI. Two more nodes were added at UC
networking. The other key step was to make the computers talk
together. To explore this, in 1965 working with Thomas Merrill,
Roberts connected the TX-2 computer in Mass. to the Q-32 in 6 It was from the RAND study that the false rumor started claiming
California with a low speed dial-up telephone line creating the that the ARPANET was somehow related to building a network
first (however small) wide-area computer network ever built [10]. resistant to nuclear war. This was never true of the ARPANET,
The result of this experiment was the realization that the time- only the unrelated RAND study on secure voice considered
shared computers could work well together, running programs and nuclear war. However, the later work on Internetting did
retrieving data as necessary on the remote machine, but that the emphasize robustness and survivability, including the capability
circuit switched telephone system was totally inadequate for the to withstand losses of large portions of the underlying networks.
job. Kleinrock's argument for packet switching was confirmed.
7 Including amongst others Vint Cerf, Steve Crocker, and Jon
Postel. Joining them later were David Crocker who was to
5 The Advanced Research Projects Agency (ARPA) changed its play an important role in documentation of electronic mail
name to Defense Advanced Research Projects Agency protocols, and Robert Braden, who developed the first NCP
(DARPA) in 1971, then back to ARPA in 1993, and back to and then TCP for IBM mainframes and was also to play a
DARPA in 1996. We refer throughout to DARPA, the current long term role in the ICCB and IAB. 776
name.

ACM SIGCOMM Computer Communication Review 23 Volume 39, Number 5, October 2009
Santa Barbara and University of Utah. These last two nodes possibility. While there were other limited ways to interconnect
incorporated application visualization projects, with Glen Culler different networks, they required that one be used as a component
and Burton Fried at UCSB investigating methods for display of of the other, rather than acting as a peer of the other in offering
mathematical functions using storage displays to deal with the end-to-end service.
problem of refresh over the net, and Robert Taylor and Ivan
Sutherland at Utah investigating methods of 3-D representations In an open-architecture network, the individual networks may be
over the net. Thus, by the end of 1969, four host computers were separately designed and developed and each may have its own
connected together into the initial ARPANET, and the budding unique interface which it may offer to users and/or other
Internet was off the ground. Even at this early stage, it should be providers. including other Internet providers. Each network can be
noted that the networking research incorporated both work on the designed in accordance with the specific environment and user
underlying network and work on how to utilize the network. This requirements of that network. There are generally no constraints
tradition continues to this day. on the types of network that can be included or on their
geographic scope, although certain pragmatic considerations will
dictate what makes sense to offer.
Computers were added quickly to the ARPANET during the
following years, and work proceeded on completing a functionally The idea of open-architecture networking was first introduced by
complete Host-to-Host protocol and other network software. In Kahn shortly after having arrived at DARPA in 1972. This work
December 1970 the Network Working Group (NWG) working was originally part of the packet radio program, but subsequently
under S. Crocker finished the initial ARPANET Host-to-Host became a separate program in its own right. At the time, the
protocol, called the Network Control Protocol (NCP). As the program was called “Internetting”. Key to making the packet radio
ARPANET sites completed implementing NCP during the period system work was a reliable end-end protocol that could maintain
1971-1972, the network users finally could begin to develop effective communication in the face of jamming and other radio
applications. interference, or withstand intermittent blackout such as caused by
being in a tunnel or blocked by the local terrain. Kahn first
In October 1972 Kahn organized a large, very successful contemplated developing a protocol local only to the packet radio
demonstration of the ARPANET at the International Computer network, since that would avoid having to deal with the multitude
Communication Conference (ICCC). This was the first public of different operating systems, and continuing to use NCP.
demonstration of this new network technology to the public. It
However, NCP did not have the ability to address networks (and
was also in 1972 that the initial “hot” application, electronic mail,
machines) further downstream than a destination IMP on the
was introduced. In March Ray Tomlinson at BBN wrote the basic ARPANET and thus some change to NCP would also be required.
email message send and read software, motivated by the need of
(The assumption was that the ARPANET was not changeable in
the ARPANET developers for an easy coordination mechanism.
this regard). NCP relied on ARPANET to provide end-to-end
In July, Roberts expanded its utility by writing the first email
reliability. If any packets were lost, the protocol (and presumably
utility program to list, selectively read, file, forward, and respond
any applications it supported) would come to a grinding halt. In
to messages. From there email took off as the largest network this model NCP had no end-end host error control, since the
application for over a decade. This was a harbinger of the kind of
ARPANET was to be the only network in existence and it would
activity we see on the World Wide Web today, namely, the
be so reliable that no error control would be required on the part
enormous growth of all kinds of “people-to-people” traffic. of the hosts.
Thus, Kahn decided to develop a new version of the protocol
3. THE INITIAL INTERNETTING which could meet the needs of an open-architecture network
CONCEPTS environment. This protocol would eventually be called the
The original ARPANET grew into the Internet. Internet was based Transmission Control Protocol/Internet Protocol (TCP/IP). While
on the idea that there would be multiple independent networks of NCP tended to act like a device driver, the new protocol would be
more like a communications protocol.
rather arbitrary design, beginning with the ARPANET as the
pioneering packet switching network, but soon to include packet Four ground rules were critical to Kahn's early thinking:
satellite networks, ground-based packet radio networks and other • Each distinct network would have to stand on its own
networks. The Internet as we now know it embodies a key and no internal changes could be required to any such
underlying technical idea, namely that of open architecture network to connect it to the Internet.
networking. In this approach, the choice of any individual
network technology was not dictated by a particular network • Communications would be on a best effort basis. If a
architecture but rather could be selected freely by a provider and packet didn't make it to the final destination, it would
made to interwork with the other networks through a meta-level shortly be retransmitted from the source.
“Internetworking Architecture”. Up until that time there was only
one general method for federating networks. This was the • Black boxes would be used to connect the networks;
traditional circuit switching method where networks would these would later be called gateways and routers. There
interconnect at the circuit level, passing individual bits on a would be no information retained by the gateways about the
synchronous basis along a portion of an end-to-end circuit individual flows of packets passing through them,
between a pair of end locations. Recall that Kleinrock had shown thereby keeping them simple and avoiding complicated
in 1961 that packet switching was a more efficient switching adaptation and recovery from various failure modes.
method. Along with packet switching, special purpose
interconnection arrangements between networks were another • There would be no global control at the operations level.

ACM SIGCOMM Computer Communication Review 24 Volume 39, Number 5, October 2009
Other key issues that needed to be addressed were: select when to acknowledge and each ack returned
would be cumulative for all packets received to that point.
• Algorithms to prevent lost packets from permanently
disabling communications and enabling them to be • It was left open as to exactly how the source and
successfully retransmitted from the source. destination would agree on the parameters of the
windowing to be used. Defaults were used initially.
• Providing for host to host “pipelining” so that multiple
packets could be enroute from source to destination at the • Although Ethernet was under development at Xerox
discretion of the participating hosts, if the PARC at that time, the proliferation of LANs were not
intermediate networks allowed it. envisioned at the time, much less PCs and workstations. The
original model was national level networks like
• Gateway functions to allow it to forward packets ARPANET of which only a relatively small number were
appropriately. This included interpreting IP headers for expected to exist. Thus a 32 bit IP address was used of
routing, handling interfaces, breaking packets into which the first 8 bits signified the network and the
smaller pieces if necessary, etc. remaining 24 bits designated the host on that network.
This assumption, that 256 networks would be sufficient for
• The need for end-end checksums, reassembly of packets the foreseeable future, was clearly in need of reconsideration
from fragments and detection of duplicates, if any. when LANs began to appear in the late 1970s.
• The need for global addressing The original Cerf/Kahn paper on the Internet described one
protocol, called TCP, which provided all the transport and
• Techniques for host to host flow control. forwarding services in the Internet. Kahn had intended that the
TCP protocol support a range of transport services, from the
• Interfacing with the various operating systems totally reliable sequenced delivery of data (virtual circuit model)
to a datagram service in which the application made direct use of
• There were also other concerns, such as implementation the underlying network service, which might imply occasional
efficiency, internetwork performance, but these were lost, corrupted or reordered packets.
secondary considerations at first.
However, the initial effort to implement TCP resulted in a version
Kahn began work on a communications-oriented set of operating that only allowed for virtual circuits. This model worked fine for
system principles while at BBN and documented some of his early file transfer and remote login applications, but some of the early
thoughts in an internal BBN memorandum entitled work on advanced network applications, in particular packet voice
“Communications Principles for Operating Systems” [4]. At this in the 1970s, made clear that in some cases packet losses should
point he realized it would be necessary to learn the not be corrected by TCP, but should be left to the application to
implementation details of each operating system to have a chance deal with. This led to a reorganization of the original TCP into
to embed any new protocols in an efficient way. Thus, in the two protocols, the simple IP which provided only for addressing
spring of 1973, after starting the internetting effort, he asked Vint and forwarding of individual packets, and the separate TCP,
Cerf (then at Stanford) to work with him on the detailed design of which was concerned with service features such as flow control
the protocol. Cerf had been intimately involved in the original and recovery from lost packets. For those applications that did not
NCP design and development and already had the knowledge want the services of TCP, an alternative called the User Datagram
about interfacing to existing operating systems. So armed with Protocol (UDP) was added in order to provide direct access to the
Kahn's architectural approach to the communications side and basic service of IP.
with Cerf's NCP experience, they teamed up to spell out the
details of what became TCP/IP. A major initial motivation for both the ARPANET and the
Internet was resource sharing - for example allowing users on the
The give and take was highly productive and the first written packet radio networks to access the time sharing systems attached
version8 of the resulting approach was distributed at a special to the ARPANET. Connecting the two together was far more
meeting of the International Network Working Group (INWG) economical that duplicating these very expensive computers.
which had been set up at a conference at Sussex University in However, while file transfer and remote login (Telnet) were very
September 1973. Cerf had been invited to chair this group and important applications, electronic mail has probably had the most
used the occasion to hold a meeting of INWG members who were significant impact of the innovations from that era. Email
heavily represented at the Sussex Conference. provided a new model of how people could communicate with
Some basic approaches emerged from this collaboration between each other, and changed the nature of collaboration, first in the
Kahn and Cerf: building of the Internet itself (as is discussed below) and later for
• Communication between two processes would logically much of society.
consist of a very long stream of bytes (they called them There were other applications proposed in the early days of the
octets). The position of any octet in the stream would be Internet, including packet based voice communication (the
used to identify it. precursor of Internet telephony), various models of file and disk
sharing, and early “worm” programs that showed the concept of
• Flow control would be done by using sliding windows
agents (and, of course, viruses). A key concept of the Internet is
and acknowledgments (acks). The destination could
that it was not designed for just one application, but as a general
infrastructure on which new applications could be conceived, as
illustrated later by the emergence of the World Wide Web. It is
8 This was subsequently published as Reference [4].

ACM SIGCOMM Computer Communication Review 25 Volume 39, Number 5, October 2009
the general purpose nature of the service provided by TCP and IP Domain Name System (DNS) was invented by Paul Mockapetris
that makes this possible. of USC/ISI. The DNS permitted a scalable distributed mechanism
for resolving hierarchical host names (e.g. www.acm.org) into an
4. PROVING THE IDEAS Internet address.
DARPA let three contracts to Stanford (Cerf), BBN (Ray
Tomlinson) and UCL (Peter Kirstein) to implement TCP/IP (it The increase in the size of the Internet also challenged the
was simply called TCP in the Cerf/Kahn paper but contained both capabilities of the routers. Originally, there was a single
distributed algorithm for routing that was implemented uniformly
components). The Stanford team, led by Cerf, produced the
detailed specification and within about a year there were three by all the routers in the Internet. As the number of networks in the
independent implementations of TCP that could interoperate. Internet exploded, this initial design could not expand as
necessary, so it was replaced by a hierarchical model of routing,
This was the beginning of long term experimentation and with an Interior Gateway Protocol (IGP) used inside each region
development to evolve and mature the Internet concepts and of the Internet, and an Exterior Gateway Protocol (EGP) used to
technology. Beginning with the first three networks (ARPANET, tie the regions together. This design permitted different regions to
Packet Radio, and Packet Satellite) and their initial research use a different IGP, so that different requirements for cost, rapid
communities, the experimental environment has grown to reconfiguration, robustness and scale could be accommodated.
incorporate essentially every form of network and a very broad- Not only the routing algorithm, but the size of the addressing
based research and development community [5]. With each tables, stressed the capacity of the routers. New approaches for
expansion has come new challenges. address aggregation, in particular classless inter-domain routing
(CIDR), have recently been introduced to control the size of
The early implementations of TCP were done for large time router tables.
sharing systems such as Tenex and TOPS 20. When desktop
computers first appeared, it was thought by some that TCP was As the Internet evolved, one of the major challenges was
too big and complex to run on a personal computer. David Clark how to propagate the changes to the software, particularly the host
and his research group at MIT set out to show that a compact and software. DARPA supported UC Berkeley to investigate
simple implementation of TCP was possible. They produced an modifications to the Unix operating system, including
implementation, first for the Xerox Alto (the early personal incorporating TCP/IP developed at BBN. Although Berkeley later
workstation developed at Xerox PARC) and then for the IBM PC. rewrote the BBN code to more efficiently fit into the Unix system
That implementation was fully interoperable with other TCPs, but and kernel, the incorporation of TCP/IP into the Unix BSD system
was tailored to the application suite and performance objectives of releases proved to be a critical element in dispersion of the
the personal computer, and showed that workstations, as well as protocols to the research community. Much of the CS research
large time-sharing systems, could be a part of the Internet. In community began to use Unix BSD for their day-to-day
1976, Kleinrock published the first book on the ARPANET [8]. It computing environment. Looking back, the strategy of
included an emphasis on the complexity of protocols and the incorporating Internet protocols into a supported operating system
pitfalls they often introduce. This book was influential in for the research community was one of the key elements in the
spreading the lore of packet switching networks to a very wide successful widespread adoption of the Internet.
community.
One of the more interesting challenges was the transition of
Widespread development of LANS, PCs and workstations in the ARPANET host protocol from NCP to TCP/IP as of January
the 1980s allowed the nascent Internet to flourish. Ethernet 1, 1983. This was a “flag-day” style transition, requiring all hosts
technology, developed by Bob Metcalfe at Xerox PARC in 1973, to convert simultaneously or be left having to communicate via
is now probably the dominant network technology in the Internet rather ad-hoc mechanisms. This transition was carefully planned
and PCs and workstations the dominant computers. This change within the community over several years before it actually took
from having a few networks with a modest number of time-shared place and went surprisingly smoothly (but resulted in a
hosts (the original ARPANET model) to having many networks distribution of buttons saying “I survived the TCP/IP transition”).
has resulted in a number of new concepts and changes to the
underlying technology. First, it resulted in the definition of three TCP/IP was adopted as a defense standard three years earlier
in 1980. This enabled defense to begin sharing in the DARPA
network classes (A, B, and C) to accommodate the range of
Internet technology base and led directly to the eventual
networks. Class A represented large national scale networks
(small number of networks with large numbers of hosts); Class B partitioning of the military and non- military communities. By
1983, ARPANET was being used by a significant number of
represented regional scale networks; and Class C represented local
area networks (large number of networks with relatively few defense R&D and operational organizations. The transition of
hosts). ARPANET from NCP to TCP/IP permitted it to be split into a
MILNET supporting operational requirements and an ARPANET
A major shift occurred as a result of the increase in scale of supporting research needs.
the Internet and its associated management issues. To make it
easy for people to use the network, hosts were assigned names, so Thus, by 1985, Internet was already well established as a
technology supporting a broad community of researchers and
that it was not necessary to remember the numeric addresses.
Originally, there were a fairly limited number of hosts, so it was developers, and was beginning to be used by other communities
feasible to maintain a single table of all the hosts and their for daily computer communications. Electronic mail was being
used broadly across several communities, often with different
associated names and addresses. The shift to having a large
number of independently managed networks (e.g., LANs) meant systems, but interconnection of different mail systems was
that having a single table of hosts was no longer feasible, and the showing the utility of inter-personal electronic communication

ACM SIGCOMM Computer Communication Review 26 Volume 39, Number 5, October 2009
5. TRANSITION TO WIDESPREAD Engineering and Architecture Task Forces and by NSF's Network
Technical Advisory Group of RFC 985 (Requirements for Internet
INFRASTRUCTURE Gateways ), which formally ensured interoperability of DARPA's
At the same time that the Internet technology was being
and NSF's pieces of the Internet.
experimentally validated and widely used amongst a subset of
computer science researchers, other networks and networking In addition to the selection of TCP/IP for the NSFNET program,
technologies were being pursued. The usefulness of computer Federal agencies made and implemented several other policy
networking - especially electronic mail - demonstrated by decisions which shaped the Internet of today.
DARPA and Department of Defense contractors on the
ARPANET was not lost on other communities and disciplines, so • Federal agencies shared the cost of common infrastructure,
that by the mid-1970s computer networks had begun to spring up such as trans-oceanic circuits. They also jointly supported
wherever funding could be found for the purpose. The U.S. “managed interconnection points” for interagency traffic;
Department of Energy (DoE) established MFENet for its the Federal Internet Exchanges (FIX-E and FIX-W) built
researchers in Magnetic Fusion Energy, whereupon DoE's High for this purpose served as models for the Network
Energy Physicists responded by building HEPNet. NASA Space Access Points and “*IX” facilities that are prominent
Physicists followed with SPAN, and Rick Adrion, David Farber, features of today's Internet architecture.
and Larry Landweber established CSNET for the (academic and
industrial) Computer Science community with an initial grant • To coordinate this sharing, the Federal Networking
10
from the U.S. National Science Foundation (NSF). AT&T's free- Council was formed. The FNC also cooperated with other
wheeling dissemination of the UNIX computer operating system international organizations, such as RARE in Europe,
spawned USENET, based on UNIX' built-in UUCP through the Coordinating Committee on
Intercontinental Research Networking, CCIRN, to
communication protocols, and in 1981 Ira Fuchs and Greydon
coordinate Internet support of the research community
Freeman devised BITNET, which linked academic mainframe
worldwide.
computers in an “email as card images” paradigm.
With the exception of BITNET and USENET, these early • This sharing and cooperation between agencies on
networks (including ARPANET) were purpose-built - i.e., they Internet-related issues had a long history. An
were intended for, and largely restricted to, closed communities of unprecedented 1981 agreement between Farber, acting for
scholars; there was hence little pressure for the individual CSNET and the NSF, and DARPA's Kahn,
networks to be compatible and, indeed, they largely were not. In permitted CSNET traffic to share ARPANET
addition, alternate technologies were being pursued in the infrastructure on a statistical and no-metered-
commercial sector, including XNS from Xerox, DECNet, and settlements basis.
IBM's SNA9. It remained for the British JANET (1984) and U.S.
• Subsequently, in a similar mode, the NSF encouraged its
NSFNET (1985) programs to explicitly announce their intent to
regional (initially academic) networks of the
serve the entire higher education community, regardless of
NSFNET to seek commercial, non-academic customers,
discipline. Indeed, a condition for a U.S. university to receive
expand their facilities to serve them, and exploit the
NSF funding for an Internet connection was that “... the
resulting economies of scale to lower subscription costs for
connection must be made available to ALL qualified users on all.
campus.”
In 1985, Dennis Jennings came from Ireland to spend a year at • On the NSFNET Backbone - the national-scale segment of
NSF leading the NSFNET program. He worked with the the NSFNET - NSF enforced an “Acceptable Use Policy”
community to help NSF make a critical decision - that TCP/IP (AUP) which prohibited Backbone usage for purposes
would be mandatory for the NSFNET program. When Steve “not in support of Research and Education.” The
Wolff took over the NSFNET program in 1986, he recognized the predictable (and intended) result of encouraging
need for a wide area networking infrastructure to support the commercial network traffic at the local and regional
level, while denying its access to national-scale
general academic and research community, along with the need to
transport, was to stimulate the emergence and/or growth of
develop a strategy for establishing such infrastructure on a basis
“private”, competitive, long-haul networks such as PSI,
ultimately independent of direct federal funding. Policies and
UUNET, ANS CO+RE, and (later) others. This process
strategies were adopted (see below) to achieve that end. of privately-financed augmentation for commercial
NSF also elected to support DARPA's existing Internet uses was thrashed out starting in 1988 in a series of NSF-
organizational infrastructure, hierarchically arranged under the initiated conferences at Harvard's Kennedy
(then) Internet Activities Board (IAB). The public declaration of School of Government on “The
this choice was the joint authorship by the IAB's Internet Commercialization and Privatization of the Internet” - and
on the “com-priv” list on the net itself.

9 The desirability of email interchange, however, led to one of the 10 Originally named Federal Research Internet Coordinating
first “Internet books”: !%@:: A Directory of Electronic Mail Committee, FRICC. The FRICC was originally formed to
Addressing and Networks, by Frey and Adams, on email address coordinate U.S. research network activities in support of the
translation and forwarding. international coordination provided by the CCIRN.

ACM SIGCOMM Computer Communication Review 27 Volume 39, Number 5, October 2009
 • In 1988, a National Research Council committee, distribution way to share ideas with other network researchers. At
chaired by Kleinrock and with Kahn and Clark as first the RFCs were printed on paper and distributed via snail
members, produced a report commissioned by NSF mail. As the File Transfer Protocol (FTP) came into use, the RFCs
titled “Towards a National Research Network”. This were prepared as online files and accessed via FTP. Now, of
report was influential on then Senator Al Gore, and course, the RFCs are easily accessed via the World Wide Web at
ushered in high speed networks that laid the networking dozens of sites around the world. SRI, in its role as Network
foundation for the future information superhighway. Information Center, maintained the online directories. Jon Postel
• In 1994, a National Research Council report, again acted as RFC Editor as well as managing the centralized
chaired by Kleinrock (and with Kahn and Clark as administration of required protocol number assignments, roles that
members again), Entitled “Realizing The Information he continued to play until his death, October 16, 1998
Future: The Internet and Beyond” was released. This
report, commissioned by NSF, was the document in
which a blueprint for the evolution of the information The effect of the RFCs was to create a positive feedback loop,
superhighway was articulated and which has had a with ideas or proposals presented in one RFC triggering another
lasting affect on the way to think about its evolution. It RFC with additional ideas, and so on. When some consensus (or a
anticipated the critical issues of intellectual property least a consistent set of ideas) had come together a specification
rights, ethics, pricing, education, architecture and document would be prepared. Such a specification would then be
regulation for the Internet. used as the base for implementations by the various research
• NSF's privatization policy culminated in April, 1995, teams.
with the defunding of the NSFNET Backbone. The
funds thereby recovered were (competitively) Over time, the RFCs have become more focused on protocol
redistributed to regional networks to buy national-scale standards (the “official” specifications), though there are still
Internet connectivity from the now numerous, private, informational RFCs that describe alternate approaches, or provide
long-haul networks. background information on protocols and engineering issues. The
The backbone had made the transition from a network built from RFCs are now viewed as the “documents of record” in the Internet
routers out of the research community (the “Fuzzball” routers engineering and standards community.
from David Mills) to commercial equipment. In its 8 1/2 year
lifetime, the Backbone had grown from six nodes with 56 kbps The open access to the RFCs (for free, if you have any kind of a
links to 21 nodes with multiple 45 Mbps links. It had seen the connection to the Internet) promotes the growth of the Internet
Internet grow to over 50,000 networks on all seven continents and because it allows the actual specifications to be used for examples
outer space, with approximately 29,000 networks in the United in college classes and by entrepreneurs developing new systems.
States.
Email has been a significant factor in all areas of the Internet, and
Such was the weight of the NSFNET program's ecumenism and that is certainly true in the development of protocol specifications,
funding ($200 million from 1986 to 1995) - and the quality of the
technical standards, and Internet engineering. The very early
protocols themselves - that by 1990 when the ARPANET itself RFCs often presented a set of ideas developed by the researchers
11
was finally decommissioned , TCP/IP had supplanted or at one location to the rest of the community. After email came
marginalized most other wide-area computer network protocols
into use, the authorship pattern changed - RFCs were presented by
worldwide, and IP was well on its way to becoming THE bearer joint authors with common view independent of their locations.
service for the Global Information Infrastructure.
The use of specialized email mailing lists has been long used in
the development of protocol specifications, and continues to be an
6. THE ROLE OF DOCUMENATION important tool. The IETF now has in excess of 75 working
A key to the rapid growth of the Internet has been the free and groups, each working on a different aspect of Internet
open access to the basic documents, especially the specifications engineering. Each of these working groups has a mailing list to
of the protocols. discuss one or more draft documents under development. When
consensus is reached on a draft document it may be distributed as
The beginnings of the ARPANET and the Internet in the an RFC.
university research community promoted the academic tradition
of open publication of ideas and results. However, the normal As the current rapid expansion of the Internet is fueled by the
cycle of traditional academic publication was too formal and too realization of its capability to promote information sharing, we
slow for the dynamic exchange of ideas essential to creating should understand that the network's first role in information
networks. sharing was sharing the information about it's own design and
operation through the RFC documents. This unique method for
In 1969 a key step was taken by S. Crocker (then at UCLA) in evolving new capabilities in the network will continue to be
establishing the Request for Comments (or RFC) series of notes critical to future evolution of the Internet.
[3]. These memos were intended to be an informal fast

11 The decommisioning of the ARPANET was commemorated on

its 20th anniversary by a UCLA symposium in 1989.

ACM SIGCOMM Computer Communication Review 28 Volume 39, Number 5, October 2009
7. FORMATION OF THE BROAD funding of the Internet. In addition to NSFNet and the various US
and international government-funded activities, interest in the
COMMUNITY commercial sector was beginning to grow. Also in 1985, both
The Internet is as much a collection of communities as a Kahn and Leiner left DARPA and there was a significant decrease
collection of technologies, and its success is largely attributable to in Internet activity at DARPA. As a result, the IAB was left
both satisfying basic community needs as well as utilizing the
without a primary sponsor and increasingly assumed the mantle of
community in an effective way to push the infrastructure forward. leadership.
This community spirit has a long history beginning with the early
ARPANET. The early ARPANET researchers worked as a close-
The growth continued, resulting in even further substructure
knit community to accomplish the initial demonstrations of packet
switching technology described earlier. Likewise, the Packet within both the IAB and IETF. The IETF combined Working
Satellite, Packet Radio and several other DARPA computer Groups into Areas, and designated Area Directors. An Internet
Engineering Steering Group (IESG) was formed of the Area
science research programs were multi-contractor collaborative
Directors. The IAB recognized the increasing importance of the
activities that heavily used whatever available mechanisms there
were to coordinate their efforts, starting with electronic mail and IETF, and restructured the standards process to explicitly
recognize the IESG as the major review body for standards. The
adding file sharing, remote access, and eventually World Wide
Web capabilities. Each of these programs formed a working IAB also restructured so that the rest of the Task Forces (other
than the IETF) were combined into an Internet Research Task
group, starting with the ARPANET Network Working Group.
Force (IRTF) chaired by Postel, with the old task forces renamed
Because of the unique role that ARPANET played as an
infrastructure supporting the various research programs, as the as research groups.
Internet started to evolve, the Network Working Group evolved
into Internet Working Group. The growth in the commercial sector brought with it increased
concern regarding the standards process itself. Starting in the early
In the late 1970's, recognizing that the growth of the Internet was 1980's and continuing to this day, the Internet grew beyond its
primarily research roots to include both a broad user community
accompanied by a growth in the size of the interested research
and increased commercial activity. Increased attention was paid to
community and therefore an increased need for coordination
mechanisms, Vint Cerf, then manager of the Internet Program at making the process open and fair. This coupled with a recognized
need for community support of the Internet eventually led to the
DARPA, formed several coordination bodies - an International
formation of the Internet Society in 1991, under the auspices of
Cooperation Board (ICB), chaired by Peter Kirstein of UCL, to
coordinate activities with some cooperating European countries Kahn's Corporation for National Research Initiatives (CNRI) and
the leadership of Cerf, then with CNRI.
centered on Packet Satellite research, an Internet Research Group
which was an inclusive group providing an environment for
general exchange of information, and an Internet Configuration In 1992, yet another reorganization took place. In 1992, the
Control Board (ICCB), chaired by Clark. The ICCB was an Internet Activities Board was re-organized and re-named the
invitational body to assist Cerf in managing the burgeoning Internet Architecture Board operating under the auspices of the
Internet activity. Internet Society. A more “peer” relationship was defined between
the new IAB and IESG, with the IETF and IESG taking a larger
responsibility for the approval of standards. Ultimately, a
In 1983, when Barry Leiner took over management of the Internet
research program at DARPA, he and Clark recognized that the cooperative and mutually supportive relationship was formed
continuing growth of the Internet community demanded a between the IAB, IETF, and Internet Society, with the Internet
Society taking on as a goal the provision of service and other
restructuring of the coordination mechanisms. The ICCB was
disbanded and in its place a structure of Task Forces was formed, measures which would facilitate the work of the IETF.
each focused on a particular area of the technology (e.g. routers,
end-to-end protocols, etc.). The Internet Activities Board (IAB) The recent development and widespread deployment of the World
was formed from the chairs of the Task Forces. It of course was Wide Web has brought with it a new community, as many of the
only a coincidence that the chairs of the Task Forces were the people working on the WWW have not thought of themselves as
same people as the members of the old ICCB, and Dave Clark primarily network researchers and developers. A new
continued to act as chair. coordination organization was formed, the World Wide Web
Consortium (W3C). Initially led from MIT's Laboratory for
Computer Science by Tim Berners-Lee (the inventor of the
After some changing membership on the IAB, Phill Gross became
WWW) and Al Vezza, W3C has taken on the responsibility for
chair of a revitalized Internet Engineering Task Force (IETF), at
the time merely one of the IAB Task Forces. As we saw above, by evolving the various protocols and standards associated with the
Web.
1985 there was a tremendous growth in the more
practical/engineering side of the Internet. This growth resulted in
an explosion in the attendance at the IETF meetings, and Gross Thus, through the over two decades of Internet activity, we have
was compelled to create substructure to the IETF in the form of seen a steady evolution of organizational structures designed to
working groups. support and facilitate an ever-increasing community working
collaboratively on Internet issues.
This growth was complemented by a major expansion in the
community. No longer was DARPA the only major player in the

ACM SIGCOMM Computer Communication Review 29 Volume 39, Number 5, October 2009
8. COMMERCIALIZATION OF THE Network management provides an example of the interplay
between the research and commercial communities. In the
TECHNOLOGY beginning of the Internet, the emphasis was on defining and
Commercialization of the Internet involved not only the implementing protocols that achieved interoperation. As the
development of competitive, private network services, but also the network grew larger, it became clear that the sometime ad hoc
development of commercial products implementing the Internet
procedures used to manage the network would not scale. Manual
technology. In the early 1980s, dozens of vendors were configuration of tables was replaced by distributed automated
incorporating TCP/IP into their products because they saw buyers algorithms, and better tools were devised to isolate faults. In 1987
for that approach to networking. Unfortunately they lacked both
it became clear that a protocol was needed that would permit the
real information about how the technology was supposed to work elements of the network, such as the routers, to be remotely
and how the customers planned on using this approach to managed in a uniform way. Several protocols for this purpose
networking. Many saw it as a nuisance add-on that had to be were proposed, including Simple Network Management Protocol
glued on to their own proprietary networking solutions: SNA, or SNMP (designed, as its name would suggest, for simplicity,
DECNet, Netware, NetBios. The DoD had mandated the use of and derived from an earlier proposal called SGMP) , HEMS (a
TCP/IP in many of its purchases but gave little help to the vendors
more complex design from the research community) and CMIP
regarding how to build useful TCP/IP products. (from the OSI community). A series of meeting led to the
decisions that HEMS would be withdrawn as a candidate for
In 1985, recognizing this lack of information availability and standardization, in order to help resolve the contention, but that
appropriate training, Dan Lynch in cooperation with the IAB work on both SNMP and CMIP would go forward, with the idea
arranged to hold a three day workshop for ALL vendors to come that the SNMP could be a more near-term solution and CMIP a
learn about how TCP/IP worked and what it still could not do longer-term approach. The market could choose the one it found
well. The speakers came mostly from the DARPA research more suitable. SNMP is now used almost universally for network
community who had both developed these protocols and used based management.
them in day to day work. About 250 vendor personnel came to
listen to 50 inventors and experimenters. The results were In the last few years, we have seen a new phase of
surprises on both sides: the vendors were amazed to find that the commercialization. Originally, commercial efforts mainly
inventors were so open about the way things worked (and what comprised vendors providing the basic networking products, and
still did not work) and the inventors were pleased to listen to new service providers offering the connectivity and basic Internet
problems they had not considered, but were being discovered by services. The Internet has now become almost a “commodity”
the vendors in the field. Thus a two way discussion was formed service, and much of the latest attention has been on the use of
that has lasted for over a decade. this global information infrastructure for support of other
commercial services. This has been tremendously accelerated by
After two years of conferences, tutorials, design meetings and the widespread and rapid adoption of browsers and the World
workshops, a special event was organized that invited those Wide Web technology, allowing users easy access to information
vendors whose products ran TCP/IP well enough to come together linked throughout the globe. Products are available to facilitate the
in one room for three days to show off how well they all worked provisioning of that information and many of the latest
together and also ran over the Internet. In September of 1988 the developments in technology have been aimed at providing
first Interop trade show was born. 50 companies made the cut. increasingly sophisticated information services on top of the basic
5,000 engineers from potential customer organizations came to Internet data communications.
see if it all did work as was promised. It did. Why? Because the
vendors worked extremely hard to ensure that everyone's products
interoperated with all of the other products - even with those of 9. HISTORY OF THE FUTURE
their competitors. The Interop trade show has grown immensely On October 24, 1995, the FNC unanimously passed a resolution
since then and today it is held in 7 locations around the world defining the term Internet. This definition was developed in
each year to an audience of over 250,000 people who come to consultation with members of the internet and intellectual
learn which products work with each other in a seamless manner, property rights communities.
learn about the latest products, and discuss the latest technology.
RESOLUTION: The Federal Networking Council
In parallel with the commercialization efforts that were (FNC) agrees that the following language reflects our
highlighted by the Interop activities, the vendors began to attend definition of the term “Internet”. “Internet” refers to the
the IETF meetings that were held 3 or 4 times a year to discuss global information system that -- (i) is logically linked
new ideas for extensions of the TCP/IP protocol suite. Starting together by a globally unique address space based on
with a few hundred attendees mostly from academia and paid for the Internet Protocol (IP) or its subsequent
by the government, these meetings now often exceeds a thousand extensions/follow-ons; (ii) is able to support
attendees, mostly from the vendor community and paid for by the communications using the Transmission Control
attendees themselves. This self-selected group evolves the TCP/IP Protocol/Internet Protocol (TCP/IP) suite or its
suite in a mutually cooperative manner. The reason it is so useful subsequent extensions/follow-ons, and/or other IP-
is that it is comprised of all stakeholders: researchers, end users compatible protocols; and (iii) provides, uses or makes
and vendors. accessible, either publicly or privately, high level
services layered on the communications and related
infrastructure described herein.

ACM SIGCOMM Computer Communication Review 30 Volume 39, Number 5, October 2009
The Internet has changed much in the two decades since it came same time, the industry struggles to find the economic rationale
into existence. It was conceived in the era of time-sharing, but has for the large investment needed for the future growth, for example
survived into the era of personal computers, client-server and to upgrade residential access to a more suitable technology. If the
peer-to-peer computing, and the network computer. It was Internet stumbles, it will not be because we lack for technology,
designed before LANs existed, but has accommodated that new vision, or motivation. It will be because we cannot set a direction
network technology, as well as the more recent ATM and frame and march collectively into the future.
switched services. It was envisioned as supporting a range of
functions from file sharing and remote login to resource sharing
and collaboration, and has spawned electronic mail and more
recently the World Wide Web. But most important, it started as
the creation of a small band of dedicated researchers, and has
grown to be a commercial success with billions of dollars of
annual investment.

One should not conclude that the Internet has now finished
changing. The Internet, although a network in name and
geography, is a creature of the computer, not the traditional
network of the telephone or television industry. It will, indeed it
must, continue to change and evolve at the speed of the computer
Figure 1: Timeline
industry if it is to remain relevant. It is now changing to provide
such new services as real time transport, in order to support, for
example, audio and video streams. The availability of pervasive
10. REFERENCES
1. P. Baran, “On Distributed Communications Networks,” IEEE
networking (i.e., the Internet) along with powerful affordable
Trans. Comm. Systems, March 1964.
computing and communications in portable form (i.e., laptop
computers, two-way pagers, PDAs, cellular phones), is making 2. V. G. Cerf and R. E. Kahn, “A protocol for packet network
possibly a new paradigm of nomadic computing and interconnection,” IEEE Trans. Comm. Tech., vol. COM-22, V
communications.. 5, pp. 627-641, May 1974.
3. S. Crocker, RFC001 Host software, Apr-07-1969.
This evolution will bring us new applications - Internet telephone
and, slightly further out, Internet television. It is evolving to 4. R. Kahn, Communications Principles for Operating Systems.
permit more sophisticated forms of pricing and cost recovery, a Internal BBN memorandum, Jan. 1972.
perhaps painful requirement in this commercial world. It is
5. Proceedings of the IEEE, Special Issue on Packet
changing to accommodate yet another generation of underlying
Communication Networks, Volume 66, No. 11, November, 1978.
network technologies with different characteristics and
(Guest editor: Robert Kahn, associate guest editors: Keith
requirements, from broadband residential access to satellites. New
Uncapher and Harry van Trees)
modes of access and new forms of service will spawn new
applications, which in turn will drive further evolution of the net 6. L. Kleinrock, “Information Flow in Large Communication
itself. Nets,” RLE Quarterly Progress Report, July 1961.
7. L. Kleinrock, Communication Nets: Stochastic Message Flow
The most pressing question for the future of the Internet is not
and Delay, Mcgraw-Hill (New York), 1964.
how the technology will change, but how the process of change
and evolution itself will be managed. As this paper describes, the 8. L. Kleinrock, Queueing Systems: Vol II, Computer
architecture of the Internet has always been driven by a core Applications, John Wiley and Sons (New York), 1976
group of designers, but the form of that group has changed as the
number of interested parties has grown. With the success of the 9. J.C.R. Licklider & W. Clark, “On-Line Man Computer
Internet has come a proliferation of stakeholders - stakeholders Communication,” August 1962.
now with an economic as well as an intellectual investment in the 10. L. Roberts & T. Merrill, “Toward a Cooperative Network of
network. We now see, in the debates over control of the domain Time-Shared Computers,” Fall AFIPS Conf., Oct. 1966.
name space and the form of the next generation IP addresses, a
struggle to find the next social structure that will guide the 11. L. Roberts, “Multiple Computer Networks and Intercomputer
Internet in the future. The form of that structure will be harder to Communication,” ACM Gatlinburg Conf., October
find, given the large number of concerned stake-holders. At the 1967.

ACM SIGCOMM Computer Communication Review 31 Volume 39, Number 5, October 2009
🔐 Privatizing the Internet: Locking the Doors
🌐 What Does It Mean?
Privatizing the internet means restricting or controlling access to parts of the internet, typically by
governments or corporations. It’s the opposite of a fully open, decentralized network. Think of it like
🧱🚪
building walls and gates in a digital city.

🛡️ Purpose in Cybersecurity
1. National Security: Countries may privatize portions of the internet to prevent cyber espionage or
terrorist activity.
2. Data Sovereignty: Ensures that data stays within national borders (e.g., China’s Great Firewall
🇨🇳 ).
3. Corporate Control: Companies may build private networks (Intranets) for sensitive data, safe
from the chaos of the public web.

🧠 Example
A government mandates that all citizen data be stored on local servers, not global cloud
platforms. ☁️➡️ 🏠
⚖️ Pros & Cons
✅ Pros ❌ Cons
Enhanced security Limits freedom of information

Better control over data flow May promote censorship

Reduced exposure to global threats Slows down innovation and communication

📈 Scaling the Internet: Growing the Digital Universe

🌍 What Does It Mean?
Scaling the internet refers to expanding infrastructure to handle more users, data, and devices
efficiently. It’s about building a faster, smarter, and more robust web.

Imagine upgrading from a village road 🚶‍♂️ to a multi-lane highway 🚗🚚🛣️.

🧩 Components of Scaling
🧮
IPv6 Adoption : To accommodate billions of devices.
📦
Content Delivery Networks (CDNs) : For faster access and lower latency.
 🖥️
Edge Computing : Processing data closer to users.
5G & Fiber Networks 📡⚡
: High-speed connectivity.

🔐 Why It Matters for Cybersecurity

More scale = more surface area for attacks. As the internet grows, so does the threat landscape.
Scaling must go hand-in-hand with security.

🔥 Key Cybersecurity Concerns During Scaling

1. Distributed Denial-of-Service (DDoS) Attacks 🌊
2. IoT Vulnerabilities🧸📶
3. Insider Threats in larger systems🕵️‍♀️
4. Zero Trust Architecture becomes crucial 🛡️❌🏠
🧬 Connecting the Dots: Privatization vs. Scaling
Feature Privatization 🔒 Scaling 📡
Control Centralized Decentralized

Accessibility Restricted Expanded

Cybersecurity Focus Isolation & Defense Robust Architecture

Common Tools Firewalls, VPNs, Data Load Balancers, CDNs,

Locality IDS/IPS

🧠 Final Thoughts: A Secure Internet Needs Both

Privatization helps defend sensitive information, while scaling ensures the internet can serve billions
securely. A modern cybersecurity strategy blends both:

|"Build walls where needed 🏰, but also expand roads for progress 🛤️—while guarding every corner
|with cyber shields. 🛡️⚔️"
GAINING THE ADVANTAGE
Applying Cyber Kill Chain® Methodology to Network Defense
THE MODERN DAY ATTACKER
Cyberattacks aren’t new, but the stakes at every level are higher than ever. Adversaries are more
sophisticated, well-resourced, trained, and adept at launching skillfully planned intrusion campaigns called
Advanced Persistent Threats (APT). Our nation’s security and prosperity depend on critical infrastructure.
Protecting these assets requires a clear understanding of our adversaries, their motivations and strategies.

Adversaries are intent on the compromise and extraction of data for economic, political
and national security advancement. Even worse, adversaries have demonstrated
their willingness to conduct destructive attacks. Their tools and techniques have the
ability to defeat most common computer network defense mechanisms.

SOPHISTICATED WELL-RESOURCED MOTIVATED

 THE LOCKHEED MARTIN CYBER KILL CHAIN ®
The Cyber Kill Chain® framework is part of the Intelligence Driven
Defense® model for the identification and prevention of cyber
intrusions activity. The model identifies what the adversaries
must complete in order to achieve their objective.

1
Stopping adversaries at any stage breaks the chain of attack! Adversaries
must completely progress through all phases for success; this puts
the odds in our favor as we only need to block them at any given one
for success. Every intrusion is a chance to understand more about
2
our adversaries and use their persistence to our advantage.

The kill chain model is designed in seven steps:

3 ff Defender’s goal: understand the aggressor’s actions
ff Understanding is Intelligence
ff Intruder succeeds if, and only if, they can proceed through steps
4
1-6 and reach the final stage of the Cyber Kill Chain®.

7
RECONNAISSANCE Identify the Targets
1
ADVERSARY D E F E ND E R

The adversaries are in the planning Detecting reconnaissance as it

phase of their operation. They happens can be very difficult, but
conduct research to understand when defenders discover recon – even
which targets will enable them well after the fact – it can reveal
to meet their objectives. the intent of the adversaries.

ff Harvest email addresses ff Collect website visitor logs for

alerting and historical searching.
ff Identify employees on
social media networks ff Collaborate with web administrators to
utilize their existing browser analytics.
ff Collect press releases, contract
awards, conference attendee lists ff Build detections for browsing
behaviors unique to reconnaissance.
ff Discover internet-facing servers
ff Prioritize defenses around
particular technologies or people
based on recon activity.
WEAPONIZATION Prepare the Operation
2
ADVERSARY D E F E ND E R

The adversaries are in the preparation This is an essential phase for defenders
and staging phase of their operation. to understand. Though they cannot
Malware generation is likely not done detect weaponization as it happens,
by hand – they use automated tools. they can infer by analyzing malware
A “weaponizer” couples malware and artifacts. Detections against
exploit into a deliverable payload. weaponizer artifacts are often the
most durable & resilient defenses.
ff Obtain a weaponizer, either
in-house or obtain through ff Conduct full malware analysis –
public or private channels not just what payload it drops,
ff For file-based exploits, select “decoy” but how it was made.
document to present to the victim. ff Build detections for weaponizers
ff Select backdoor implant and – find new campaigns and new
appropriate command and control payloads only because they re-
infrastructure for operation used a weaponizer toolkit.

ff Designate a specific “mission id” ff Analyze timeline of when malware

and embed in the malware was created relative to when it was
used. Old malware is “malware off
ff Compile the backdoor and the shelf” but new malware might
weaponize the payload mean active, tailored operations.
ff Collect files and metadata
for future analysis.
ff Determine which weaponizer artifacts
are common to which APT campaigns.
Are they widely shared or closely held?
DELIVERY Launch the Operation
3
ADVERSARY D E F E ND E R

The adversaries convey the This is the first and most important
malware to the target. They have opportunity for defenders to block
launched their operation. the operation. A key measure
of effectiveness is the fraction
ff Adversary controlled delivery: of intrusion attempts that are
ff Direct against web servers blocked at delivery stage.
ff Adversary released delivery:
ff Analyze delivery medium – understand
ff Malicious email upstream infrastructure.

ff Malware on USB stick ff Understand targeted servers and

people, their roles and responsibilities,
ff Social media interactions what information is available.
ff “Watering hole” ff Infer intent of adversary
compromised websites based on targeting.
ff Leverage weaponizer artifacts to
detect new malicious payloads
at the point of Delivery.
ff Analyze time of day of when
operation began.
ff Collect email and web logs for
forensic reconstruction. Even if an
intrusion is detected late, defenders
must be able to determine when
and how delivery began.
EXPLOITATION Gain Access to Victim
4
ADVERSARY D E F E ND E R

The adversaries must exploit a Here traditional hardening

vulnerability to gain access. The measures add resiliency, but custom
phrase “zero day” refers to the capabilities are necessary to stop
exploit code used in just this step. zero-day exploits at this stage.

ff Software, hardware, or ff User awareness training and

human vulnerability email testing for employees.
ff Acquire or develop zero day exploit ff Secure coding training for
web developers.
ff Adversary triggered exploits for
server-based vulnerabilities ff Regular vulnerability scanning
and penetration testing.
ff Victim triggered exploits
ff Endpoint hardening measures:
ff Opening attachment of
malicious email ff Restrict admin privileges
ff Clicking malicious link ff Use Microsoft EMET
ff Custom endpoint rules to
block shellcode execution
ff Endpoint process auditing to forensically
determine origin of exploit.
INSTALLATION Establish Beachhead at the Victim
5
ADVERSARY D E F E ND E R

Typically, the adversaries install a Endpoint instrumentation to

persistent backdoor or implant in the detect and log installation activity.
victim environment to maintain access Analyze installation phase during
for an extended period of time. malware analysis to create
new endpoint mitigations.
ff Install webshell on web server
ff Install backdoor/implant on client victim ff HIPS to alert or block on common
installation paths, e.g. RECYCLER.
ff Create point of persistence by adding
services, AutoRun keys, etc. ff Understand if malware requires
administrator privileges or only user.
ff Some adversaries “time stomp” the file
to make malware appear it is part of ff Endpoint process auditing to
the standard operating system install. discover abnormal file creations.
ff Extract certificates of any
signed executables.
ff Understand compile time of malware
to determine if it is old or new.
C OM MAN D & CO N T R O L (C2 ) Remotely Control the Implants
6
ADVERSARY D E F E ND E R

Malware opens a command The defender’s last best chance to

channel to enable the adversary to block the operation: by blocking
remotely manipulate the victim. the C2 channel. If adversaries
can’t issue commands, defenders
ff Open two way communications can prevent impact.
channel to C2 infrastructure
ff Most common C2 channels are over ff Discover C2 infrastructure
web, DNS, and email protocols thorough malware analysis.

ff C2 infrastructure may be adversary ff Harden network:

owned or another victim network itself
ff Consolidate number of
internet points of presence
ff Require proxies for all types
of traffic (HTTP, DNS)
ff Customize blocks of C2
protocols on web proxies.
ff Proxy category blocks, including
“none” or “uncategorized” domains.
ff DNS sink holing and name
server poisoning.
ff Conduct open source research
to discover new adversary
C2 infrastructure.
ACTIONS ON OBJECTIVES Achieve the Mission’s Goal
7
ADVERSARY D E F E ND E R

With hands-on keyboard access, The longer an adversary has CKC7

intruders accomplish the mission’s access, the greater the impact.
goal. What happens next depends Defenders must detect this stage as
on who is on the keyboard. quickly as possible by using forensic
evidence – including network packet
ff Collect user credentials captures, for damage assessment.
ff Privilege escalation
ff Establish incident response playbook,
ff Internal reconnaissance including executive engagement
ff Lateral movement through environment and communications plan.

ff Collect and exfiltrate data ff Detect data exfiltration, lateral

movement, unauthorized
ff Destroy systems credential usage.
ff Overwrite or corrupt data ff Immediate analyst response
to all CKC7 alerts.
ff Surreptitiously modify data
ff Forensic agents pre-deployed to
endpoints for rapid triage.
ff Network package capture
to recreate activity.
ff Conduct damage assessment
with subject matter experts.
ANALYSIS: Identifying Patterns T IP S F OR IN T E L L IGE N T
R E CONS T R UC T ION :
Analysis of multiple intrusion kill chains over time draws attention to
similarities and overlapping indicators. Defenders learn to recognize and define ff Defenders must always analyze
intrusion campaigns and understand the intruder’s mission objectives. backward to understand earlier steps
in the kill chain. The threats will
Identify patterns: what are they looking for, why are they targeting me? come back again. Learn how they
got in and block it for the future.
This will help identify how to best protect yourself from the next attack. ff Blocked intrusions are equally
You can’t get ahead of the threat unless you understand the campaign. important to analyze in depth to
understand how the intrusion
would have progressed.
ff Measure effectiveness of your defenses
RECONSTRUCTION: Prevent Future Attacks if it progressed. Deploy mitigations
to build resilience for tomorrow.
Cyber Kill Chain® analysis guides understanding of what information is, and may be, available
for defensive courses of action. Stay focused on your threat landscape with vigilance.

RESILIENCE: Defend against Advanced Persistent Threats

The antidote to APT is a resilient defense. Measure the effectiveness of your
countermeasures against the threats. Be agile to adapt your defenses faster than the threats.
JUST ONE MITIGATION BREAKS THE CHAIN T HR E E WAY S T O
ff The defender has the advantage with the Cyber Kill Chain® solution. USE HIS T OR Y T O
All seven steps must be successful for a cyber attack to occur.
Y OUR A D VA N TA GE :
ff The defender has seven opportunities to break the chain.
ff Look for patterns to
strengthen your defense
1
CONCLUSION ff Improve your organizational
structure and response
ff Defenders CAN have the advantage: ff Know your potential threat
ff Better communicate and mitigate risks 2
surfaces, even the old ones

ff Build true resilience

ff Meaningfully measure results
ff Getting Started: Remember there is no such thing as secure, only defendable. 3
ff Start by thinking differently when you make changes to your
processes, investments, metrics, communications with your
team and leadership, staffing models, and architectures.
4
ff Know your threats…it’s not just about network defense anymore. it’s
about defending much more like your platforms and mobile users.

7
RESOURCES

White Paper

Video

Article

cyber.security@lmco.com
855-LMCYBER Connect
855-562-9237

LOCKHEED MARTIN, LOCKHEED and the STAR design trademarks used throughout are registered trademarks
in the U.S. Patent and Trademark Office owned by Lockheed Martin Corporation.

© 2015 Lockheed Martin Corporation. All Rights Reserved. | #CMK201503001

PAPER SERIES: NO. 1 — MAY 2014

The Regime Complex for Managing

Global Cyber Activities
Joseph S. Nye, Jr.
THE REGIME COMPLEX FOR MANAGING
GLOBAL CYBER ACTIVITIES
Joseph S. Nye, Jr.
Copyright © 2014 by the Centre for International Governance Innovation and the Royal
Institute for International Affairs

The opinions expressed in this publication are those of the author and do not necessarily
reflect the views of the Centre for International Governance Innovation or its Operating
Board of Directors or International Board of Governors.

This work is licensed under a Creative Commons Attribution — Non-commercial — No

Derivatives License. To view this license, visit (www.creativecommons.org/licenses/by-nc-
nd/3.0/). For re-use or distribution, please include this copyright notice.

57 Erb Street West 10 St James’s Square

Waterloo, Ontario N2L 6C2 London, England SW1Y 4LE
Canada United Kingdom
tel +1 519 885 2444 fax +1 519 885 5450 tel +44 (0)20 7957 5700 fax +44 (0)20 7957 5710
www.cigionline.org www.chathamhouse.org
TABLE OF CONTENTS
4 About the Global Commission on Internet Governance

4 About the Author

4 Acronyms

5 Introduction

5 Aspects of Cyber Governance

7 Regimes and Regime Complexes

9 Norms and Cyber Sub-issues

11 The Future Dynamics of the Cyber Regime Complex

13 Conclusions

13 Acknowledgements

14 Works Cited

16 About CIGI

16 About Chatham House

16 CIGI Masthead
GLOBAL COMMISSION ON INTERNET GOVERNANCE Paper Series: no. 1 — May 2014

ACRONYMS
ABOUT THE GLOBAL CERTs computer emergency response teams
COMMISSION ON INTERNET CSIS Center for Strategic International Studies
GOVERNANCE DDoS distributed denial-of-service
DNS domain name system
The Global Commission on Internet Governance was
established in January 2014 to articulate and advance a GATT General Agreement on Tariffs and Trade
strategic vision for the future of Internet governance. The GGE Group of Governmental Experts (UN)
two-year project conducts and supports independent
research on Internet-related dimensions of global public IANA Internet Assigned Numbers Authority
policy, culminating in an official commission report that IEEE Institute of Electrical and Electronics
will articulate concrete policy recommendations for the Engineers
future of Internet governance. These recommendations
IETF Internet Engineering Task Force
will address concerns about the stability, interoperability,
security and resilience of the Internet ecosystem. ICANN Internet Corporation for Assigned Names
and Numbers
Launched by two independent global think tanks,
ISOC Internet Society
the Centre for International Governance Innovation
(CIGI) and Chatham House, the Global Commission on ISP Internet service provider
Internet Governance will help educate the wider public ITU International Telecommunication Union
on the most effective ways to promote Internet access,
while simultaneously championing the principles of LOAC Laws of Armed Conflict
freedom of expression and the free flow of ideas over NSA National Security Agency (US)
the Internet.
W3C World Wide Web Consortium
The Global Commission on Internet Governance will WCIT World Conference on International
focus on four key themes: Telecommunications
• enhancing governance legitimacy — including WGIG Working Group on Internet Governance (UN)
regulatory approaches and standards; WIPO World Intellectual Property Organization
• stimulating economic innovation and growth — WTO World Trade Organization
including critical Internet resources, infrastructure
and competition policy;

• ensuring human rights online — including

establishing the principle of technological
neutrality for human rights, privacy and free
expression; and

• avoiding systemic risk — including establishing

norms regarding state conduct, cybercrime
cooperation and non-proliferation, confidence-
building measures and disarmament issues.

The goal of the Global Commission on Internet

Governance is two-fold. First, it will encourage globally
inclusive public discussions on the future of Internet
governance. Second, through its comprehensive policy-
oriented report, and the subsequent promotion of
this final report, the Global Commission on Internet
Governance will communicate its findings with senior
stakeholders at key Internet governance events. ABOUT THE AUTHOR
www.ourinternet.org Joseph S. Nye, Jr. is a university distinguished service
professor and former dean of the Kennedy School at
Harvard University. He has served as assistant secretary
of defense for International Security Affairs, chair of the
National Intelligence Council and deputy under the
secretary of state for Security Assistance, Science and
Technology.

4 • CENTRE FOR INTERNATIONAL GOVERNANCE INNOVATION • CHATHAM HOUSE

 The Regime Complex for Managing Global Cyber Activities

INTRODUCTION difficult.2 Attacks from the informational realm, where

costs are low, can be launched against the physical domain,
When we try to understand cyber governance, it where resources are scarce and expensive. Conversely,
is important to remember how new cyberspace is. control of the physical layer can have both territorial and
“Cyberspace is an operational domain framed by use of extraterritorial effects on the informational layers.
electronics to…exploit information via interconnected
systems and their associated infra structure” (Kuehl Governments and non-state actors cooperate and
2009). While the US Defense Department sponsored a compete for power in this complex arena. Cyber power
modest connection of a few computers called ARPANET can be defined in terms of a set of resources that relate
(Advanced Research Projects Agency Network) in 1969, to the creation, control and communication of electronic
and the World Wide Web was conceived in 1989, it has and computer-based information — infrastructure,
only been in the last decade and a half that the number networks, software and human skills. This includes the
of websites burgeoned, and businesses begin to use this Internet of networked computers, but also intranets,
new technology to shift production and procurement in mesh nets, cellular technologies, cables and space-based
complex global supply chains. In 1992, there were only a communications. Cyber power can be used to produce
million users on the Internet (Starr 2009, 52); today, there preferred outcomes within cyberspace, or it can use cyber
are nearly three billion, and the Internet has become a instruments to produce preferred outcomes in other
substrate of modern economic, social and political life. domains outside cyberspace. The Internet, which is a
And the volatility continues. Analysts are now trying to network of thousands of independently owned networks,
understand the implications of ubiquitous mobility, the is only part of cyberspace. Cyber attacks can come through
“Internet of everything” and storage of “big data.” Over several vectors, such as humans and hardware supply
the past 15 years, the advances in technology have far chains, as well as malware delivered over the network.
outstripped the ability of institutions of governance to Internet governance is the application by governments, the
respond, as well as our thinking about governance. private sector and civil society of principles, norms, rules,
procedures and programs that shape the evolution and use
Since the 1970s, political scientists have looked at the of the Internet (Working Group on Internet Governance
international governance processes of various global [WGIG] 2005). Naming and numbering is only a small part
affairs issues through the perspective of regime theory of Internet governance, and while Internet governance
(Keohane and Nye 1977; Ruggie 1982). This paper is is at the heart of cyberspace, it is only a subset of cyber
a mapping exercise of cyber governance using regime governance.
theory. Regimes are the “principles, norms, rules and
procedures that govern issue areas in international ASPECTS OF CYBER GOVERNANCE
affairs,” but these concepts have rarely been applied to
the new cyber domain (Krasner 1983). In its early days, There is considerable insecurity in cyberspace because
thinking about cyber governance was relatively primitive. the barriers to entry are low and offence is cheaper
Ideological libertarians proclaimed that “information than defence, which is why it is sometimes depicted as
wants to be free,” portraying the Internet as the end of analogous to the ungoverned and lawless Wild West. In
government controls. In practice, however, governments practice, however, there are many areas of private and
and geographical jurisdictions have been playing a public governance. Certain technical standards related
major role in cyber governance right from the start (see to Internet protocols are set (or not) by consensus among
Goldsmith and Wu 2006). engineers involved in the non-governmental Internet
Engineering Task Force (IETF), the World Wide Web
Cyberspace is a unique combination of physical and Consortium (W3C) and others. Their informal procedures
virtual properties.1 The physical infrastructure layer eschew voting and are sometimes summarized as “rough
largely follows the economic laws of rival resources consensus and running code.”
and increasing marginal costs, and the political laws of
sovereign governmental jurisdiction and control. The The determination as to which of these standards is broadly
virtual or informational layers have economic network applied often depends upon private corporate decisions
characteristics of increasing returns to scale, and political about their inclusion in commercial products. Private
practices that make government jurisdictional control contracts among different tiers of Internet service providers
(ISPs) use BGP (border gateway protocols) and undersea
cables to connect the many networks that make up the
Internet. The Internet Corporation for Assigned Names
and Numbers (ICANN) has had the legal status of a non-
1 Martin Libicki (2009, 12) distinguishes three layers of cyberspace:
physical, syntactic and semantic. However, with applications added
upon applications, the Internet can be conceived in multiple layers. See 2 Jonathan Zittrain points out that this may change as unowned apps,
Blumenthal and Clark (2009, 206ff) for a four-layer model. Nazli Choucri such as email, give way to proprietary apps, such as Facebook or Twitter
(2012) has also proposed multiple layers. direct messaging (pers. comm.).

Joseph S. Nye, Jr. • 5

GLOBAL COMMISSION ON INTERNET GOVERNANCE Paper Series: no. 1 — May 2014

profit corporation under US law, although its procedures with successful self-governance are weak in many parts of
have evolved to include government voices (but not votes). the cyber domain because of the large size of the resource,
In any event, its mandate is limited to domain names and the large number of users and the poor understanding of
assignment of top-level numeric addresses, not the full how the system will evolve (among others).
panoply of cyberspace governance. National governments
control copyright and intellectual property laws, although In its earliest days, the Internet was like a small village
they are subject to negotiation and litigation, sometimes of known users — an authentication layer of code was
within the frameworks of the World Intellectual Property not necessary and development of norms was simple in
Organization (WIPO) and the World Trade Organization a climate of trust. All of that changed with burgeoning
(WTO). Governments also determine national spectrum growth and commercial use. While the openness and
allocation within an international framework negotiated accessibility of cyberspace as a medium of communication
at the International Telecommunication Union (ITU). provide valuable benefits to all, free-riding behaviour in
the form of crime, attacks and threats creates insecurity.
The United Nations Charter, the Laws of Armed Conflict The result is a demand for protection that can lead to
(LOAC) and various regional organizations provide a fragmentation, “walled gardens,” private networks and
general overarching framework as national governments cyber equivalents to the seventeenth century enclosures
try to manage problems of security and espionage. The that were used to solve that era’s “tragedy of the commons”
Council of Europe’s Convention on Cybercrime (2014) in (Ostrom 2009, 421; Hurwitz 2009). Internet experts worry
Budapest provides a legal framework that has been ratified about “balkanization” or fragmentation. To some extent
by 42 states. Incident response teams (computer emergency that has already occurred, yet most states do not want
response teams [CERTs] and CSIRTs [Computer Security fragmentation into a “splinter-net” that would curtail
Incident Response Teams]) cooperate regionally and economic benefits.
globally to share information about disruptions. Bilateral
negotiations, track two dialogues, regular forums and Providing security is a classic function of government, and
independent commissions strive to develop norms and some observers believe that growing insecurity will lead
confidence-building measures. Much of the governance to an increased role for governments in cyberspace. Many
efforts occur within national legal frameworks, although states desire to extend their sovereignty in cyberspace,
the technological volatility of the cyber domain means that seeking the technological means to do so. As Diebert
laws and regulations are always chasing a moving target. and Rohozinski (2010) put it, “securing cyberspace has
definitely entailed a ‘return of the state’ but not in ways
The cyberspace domain is often described as a public good that suggest a return to the traditional Westphalian
or a global commons, but these terms are an imperfect paradigm of state sovereignty.” Moreover, while accounts
fit. A public good is one from which all can benefit and of cyberwar have been exaggerated, cyber espionage is
none should be excluded, and while this may describe rampant and more than 30 governments are reputed to
some of the information protocols of the Internet, it does have developed offensive capabilities and doctrines for the
not describe the physical infrastructure, which is a scarce use of cyber weapons (Rid 2013). US Cyber Command has
proprietary resource located within the boundaries of announced plans to employ 6,000 professionals by 2016
sovereign states and more like a “club good” available to (Garamone 2014). Ever since the Stuxnet virus was used
some, but not all. And cyberspace is not a commons like the to disrupt Iran’s nuclear centrifuge program in 2009 and
high seas, because parts of it are under sovereign control. 2010, the hypothetical use of cyber weapons has become
At best, it is an “imperfect commons” or a condominium very real to governments (Demchak and Dombrowski
of joint ownership without well-developed rules (pers. 2011, 32).
comm. with James A. Lewis; see Center for Strategic
International Studies [CSIS] 2008). It has also been termed Efforts to attack or secure a government network also
a club good where a shared resource is subject to various involve the use of cyber weapons by non-state actors. The
degrees of exclusion according the rules and agreements of number of criminal attacks has increased, with estimates
different institutions (Raymond 2013). of global costs ranging from US$80–400 billion annually
(Lewis and Baker 2013, 5). Corporations and private actors,
Cyberspace can also be categorized as what Elinor Ostrom however, can also help to protect the Internet, and this often
termed a “common pool resource,” from which exclusion entails devolution of responsibilities and authority (Deibert
is difficult and exploitation by one party can subtract value and Rohozinski 2010, 30; see Demchak and Dombrowski
for other parties.3 Government is not the sole solution to 2011). For example, banking and financial firms have
such common pool resource problems. Ostrom showed developed their own elaborate systems of security and
that community self-organization is possible under certain punishment through networks of connectedness, such
conditions. However, the conditions that she associated as depriving repeat offenders of their trading rights,
and by slowing speeds and raising transaction costs for
3 See Ostrom et al. (1999, 278), for a challenge to Garrett Hardin’s
addresses that are associated with suspect behaviour.
(1968, 1243) formulation of “the tragedy of the commons.” Informal consortia, such as the Conficker Working Group,

6 • CENTRE FOR INTERNATIONAL GOVERNANCE INNOVATION • CHATHAM HOUSE

 The Regime Complex for Managing Global Cyber Activities

have arisen to deal with particular problems, and hacker has a degree of hierarchical coherence among norms. A
groups like Anonymous have acted to punish corporate regime complex is a loosely coupled set of regimes. On a
and government behaviour of which they disapprove. spectrum of formal institutionalization, a regime complex
is intermediate between a single legal instrument at one
Governments want to protect the Internet so their societies end and fragmented arrangements at the other. While
can continue to benefit from it, but at the same time, they there is no single regime for the governance of cyberspace,
also want to protect their societies from what might come there is a set of loosely coupled norms and institutions that
through the Internet. China, for example, has developed ranks somewhere between an integrated institution that
a firewall and pressures Chinese companies to self-censor imposes regulation through hierarchical rules, and highly
behind it, and the country could reduce its connections to fragmented practices and institutions with no identifiable
the Internet if it is attacked (Clarke and Knake 2012, 146). core and non-existent linkages.
Nonetheless, China — and other governments — still seeks
the economic benefits of connectivity. The tension between The oval map of cyber governance activities in Figure 1
protection of the Internet and protecting society leads to mixes norms, institutions and procedures, some of which
imperfect compromises (see Zittrain 2008). Reaching an are large in scale, while others are relatively small; some are
agreement on norms to govern security is complicated quite formal and some very informal. The labels are often
by the fact that while Western countries speak of “cyber arbitrary.4 The oval is not designed to map all governance
security,” authoritarian countries such as Russia and China activities in cyberspace (which is a massive undertaking)
refer to “information security,” which includes censorship and, thus, is deliberately incomplete. Like all heuristics, it
of content that would be constitutionally protected in distorts reality as it simplifies. Nonetheless, it is a useful
democratic states. corrective to the usual UN versus multi-stakeholder
dichotomy as an approach to cyber governance, and it
These differences were dramatized at the December 2012 locates Internet governance within the larger context of
World Conference on International Telecommunications cyber governance. First, it indicates the extent and wide
(WCIT) convened by the ITU in Dubai. Although the range of actors and activities related to governance that
meeting was ostensibly about updating telephony exist in the space. Second, it separates issues related to
regulations, the underlying issue was the extent to which the technical function of connectivity, such as the domain
the ITU would play a role in the governance of the Internet. name system (DNS) and technical standards where a
Authoritarian countries, and many developing countries, relatively coherent and hierarchical regime exists, from
feel that their approach to security and development the much broader range of issues that constitute the
would benefit from the UN bloc politics that characterize larger regime complex. Third, it encourages us to think
the ITU. Moreover, they dislike the fact that ICANN is a of layers and domains of cyber governance that are much
non-profit incorporated in the United States and at least broader than just the issues of DNS and ICANN, which
partially accountable to the US Commerce Department. have limited functions and little to do directly with larger
Western governments, on the other hand, fear that the issues such as security, human rights or development. As
cumbersome features of the ITU would undercut the Laura DeNardis (2014, 226) writes, “a question such as
flexibility of the “multi-stakeholder” process that stresses ‘who should control the Internet, the United Nations or
the role of the private and non-profit sectors as well as some other organization’ makes no sense whatsoever. The
governments. While there are different interpretations of appropriate question involves determining what is the
multi-stakeholderism, which can be traced back to the most effective form of governance in each specific context.”
Geneva and Tunis meetings of the UN’s World Summit on
the Information Society in 2003 and 2005 (Maurer 2011), When we look at the whole range of cyber governance
respectively, the vote in Dubai was 89 to 55 (Klimburg issues, some of the bipolarity in alignments that
2013, 3) against the “Western” governments (including characterized the WCIT begins to erode. Liberalism is
Japan and India). In the aftermath of the WCIT conference, not the only divide. For example, some of the countries
there were articles about the crisis in Internet governance that voted against the West were not authoritarian, but
and worries about a new Cold War (see Klimburg 2013; were post-colonial or developing countries concerned
Mueller 2012). Many of these fears were overstated, about issues of sovereignty, which can be swayed by
however, if one looks at cyber governance through the lens programs to develop their cyber capabilities or to protect
of regime theory. the interests of their telecom companies. Also, within the
liberal democratic bloc, there are important differences
REGIMES AND REGIME COMPLEXES between the United States and Europe over issues of
privacy, which have been increased by Edward Snowden’s
Regimes are a subset of norms, which are shared revelations regarding surveillance. Such issues may wind
expectations about appropriate behaviour. Norms can up having strong effects and being resolved within trade
be descriptive, prescriptive or both. They can also be
institutionalized (or not) to varying degrees. A regime
4 I am indebted to Alexander Klimburg for help with the labels.

Joseph S. Nye, Jr. • 7

GLOBAL COMMISSION ON INTERNET GOVERNANCE Paper Series: no. 1 — May 2014

Figure 1: The Regime Complex for Managing Global Cyber Activities

International Law
Conventions Human Rights
Regimes
UN Charter, UNGA
Resolutions and LOAC ICCPR
Government Groupings
G8, G20, 3G and OECD
UN — 1/3 Committee UN — WSIS Process
GGE IGF, WSIS and WGIG
Telecom Regimes
ITU (ITRs) and GUCCI
Conferences
Incident Response Regimes
London Process,
IWWN and FIRST
International Policy Standards NETmundial and Regional Organizations
1Net Group
ICANN, IANA, ISOC and RIRs CoE, OSCE, SCO, OAS and ARF
Intelligence Corporate Decisions
Community Independent
ISPs and telcos (including Internet Technical Standards
Alliances Commissions Civil Rights Organizations
routing and content)
IETF, W3C and IAB
“Five Eyes” and Toomas Hendrik EFF, Freedom House and Access
Bern Group Ilves, Carl Bildt

Track One and Two International Finance Institutions

Law Enforcement Cooperation Dialogues Industrial ICT Standards
IMF, World Bank, EBRD, OECD DAC
Council of Europe Convention on US/China and IEEE and ICT4D
Cybercrime and INTERPOL Europe/China

Trade Regimes
Intellectual Property Regimes
WTO and Wassenaar
WIPO and ACTA Arrangement

Source: Author.

Acronyms for Figure 1

ACTA Anti-Counterfeiting Trade GUCCI Global Undersea ITRs International
Agreement Communications Cable Telecommunication
Infrastructure Regulations
ARF Association of Southeast Asian
Nations Regional Forum IAB Internet Architecture Board IWWN International Watch and
Warning Network
CoE Council of Europe IANA Internet Assigned Numbers
Authority OAS Organization of American
DAC Development Assistance
States
Committee (OECD) ICCPR International Covenant on
Civil and Political Rights OECD Organisation for Economic
EBRD European Bank for
Co-operation and
Reconstruction and ICT information and
Development
Development communications technology
OSCE Organization for Security and
EFF Electronic Frontier Foundation ICT4D Information and
Co-operation in Europe
Communication Technologies
FIRST Forum for Incident Response
for Development RIRs regional Internet registries
and Security Teams
IEEE Institute of Electrical and SCO Shanghai Cooperation
“Five Eyes” Alliance of Australia, Canada,
Electronics Engineers Organisation
New Zealand, the United
Kingdom and the United IETF Internet Engineering Task telcos telecommunications company
States Force
UNGA United Nations General
G8 Group of Eight IGF Internet Governance Forum Assembly
G20 Group of Twenty IMF International Monetary Fund WSIS World Summit on the
Information Society
GGE Group of Governmental ISOC Internet Society
Experts (UN)

8 • CENTRE FOR INTERNATIONAL GOVERNANCE INNOVATION • CHATHAM HOUSE

 The Regime Complex for Managing Global Cyber Activities

agreements like the proposed Trans-Atlantic Trade and “adaptability and flexibility are particularly important
Investment Partnership. It oversimplifies the politics of in a setting...in which the most demanding international
cyber governance to compress all of these dimensions commitments are interdependent yet governments vary
into a bipolar dispute over liberal versus authoritarian widely in their interest and ability to implement them.”
approaches to content control.
NORMS AND CYBER SUB-ISSUES
This mapping of a regime complex also indicates the
importance of linkages of cyber to normative and regime The norms that affect the various sub-issues of regime
structures outside the issue area. The various actors that complexes can be compared along a variety of dimensions
are located at the edge of the oval have independent such as effectiveness, resilience, autonomy and others
structures of power and institutions outside the cyber (Hasenclever, Mayer and Rittberger 1997). It is more useful
issue area, but still play a significant role in issues of cyber to compare cyber issues in terms of four dimensions:
governance. In other words, much of cyber governance depth, breadth, fabric and compliance. Depth refers to
comes from actors and institutions that are not focused the hierarchical coherence of a set of rules or norms. Is
purely on cyber. Moreover, these institutions compete there an overarching set of rules, which are compatible
and are used in a process of “contested multilateralism,” and mutually reinforcing (even if they are not adhered
whereby state and non-state actors seek to shape the to or complied with by all actors)? For example, on the
norms that govern activities within the oval (Morse and issue of domain names and standards, the norms, rules
Keohane, forthcoming). and procedures have coherence and depth; however, on
the issue of espionage, there are few. Breadth refers to the
Finally, this approach helps to relieve some of the fears scope of the numbers of state and non-state actors that
of extreme balkanization. Interference with the central have accepted a set of norms (whether they fully comply
regime of domain names and standards could fragment or not). For instance, on the issue of crime, 42 states have
the functioning of the Internet, and it might make sense ratified the Budapest convention.
to consider a special treaty limited to that area (Sofaer,
Clark and Diffie 2010). However, trying to develop a “Fabric” refers to the mix of state and non-state actors in an
treaty for the broad range of cyberspace as a whole could issue area. This is particularly interesting in cyber because
be counterproductive. The loose coupling among issues the low barriers to entry mean many of the resources and
that now exists permits cooperation among actors in some much of the action is controlled by non-state actors. Issues
areas at the same time that they have disagreements in with a high degree of state control have a “tight fabric”;
others. For example, China and the United States can use those where non-state actors are pre-eminent have a
the Internet for economic cooperation even as they differ loosely woven fabric. Security issues such as the laws of
on human rights and content control. Countries could war in cyber have a tight fabric of sovereign control, while
cooperate on cybercrime, even while they differ on laws of the DNS has a loose fabric in which non-state actors play
war or espionage. a major role. As suggested above, a loosely woven fabric
is not synonymous with shallowness or incoherence. A
What regime complexes lack in coherence, they make up fourth dimension for comparison is compliance: how
in flexibility and adaptability. Particularly in a domain widespread is the behavioural adherence to a set of
with extremely volatile technological change, these norms? For instance, on the sub-issue of domain names
characteristics help both states and non-state actors to and standards, compliance is high; on issues of privacy it
adjust to uncertainty. Moreover, they permit the formation is mixed; and on human rights it is low. Some of the major
of clubs or smaller groupings of like-minded states than can sub-issues of the cyber regime complex are compared
pioneer the development of norms that may be extended along these dimensions below. (The list is not designed to
to larger groups at a later time. As Keohane and Victor be complete and other rows for trade, intellectual property
(2011, 7) note of the regime complex for climate change, or development can easily be added to the table.)

Table 1: Some Issues in the Cyber Regime Complex

Depth Breadth Fabric Compliance
DNS/standards High High Loose High
Crime High Medium Mixed Mixed
War/sabotage Medium Low Tight Low
Espionage Low Low Mixed Low
Privacy Medium Low Mixed Mixed
Content control Low Low Loose Low
Human rights Medium Medium Loose Low

Source: Author.

Joseph S. Nye, Jr. • 9

GLOBAL COMMISSION ON INTERNET GOVERNANCE Paper Series: no. 1 — May 2014

The variation in the characteristics of these sub-issues after extradition laws that relate to actions that are “doubly
suggests why cyberspace is likely to remain a regime criminal” — that is, illegal in both countries.
complex rather than a single, strong regime for some time.
As Keohane and Victor (2011, 8) argue in regard to climate War has an overarching normative structure that is derived
change, it is “actually many different cooperation problems, from the UN Charter and the LOAC. The issue has a tight
implying different tasks and structures. Three forces — structure growing out of the nature of war as a sovereign
the distribution of interests, the gains from linkages, and action of states. The third meeting of the UN’s GGE, which
the management of uncertainty — help to account for the concluded in July 2013, agreed in principle that such
variation in the institutional outcomes, from integration to laws applied in the cyber domain. What this means in
fragmentation.” This is clearly true of cyberspace as well, practice, when there is great technological uncertainty, is
though it is important to notice the difference there is one more challenging. While a group of NATO legal scholars
area of the cyber domain where interests and gains from has produced the Tallinn Manual on International Law
linkages are strong enough that a coherent regime exists. Applicable to Cyber Warfare — which attempts to translate
general principles regarding proportion, discrimination
Partly because of strong common interests in connectivity, and collateral damage into the cyber domain — the scope
and partly because of path dependency and the way the of the acceptance of these principles has been limited by its
basic standards of the Internet were established in the origins (Schmitt 2013). While there has been no cyberwar
United States, there is a core regime related to standards in a strict sense, there has been cyber sabotage, such as
and assigned names and numbers including management Stuxnet, and cyber instruments, such as distributed denial-
of the DNS root zone servers. While there has been of-service (DDoS) attacks, which were used in the Russian
controversy about the status of ICANN, and the US invasion of Georgia. On the other hand, there have been
government has indicated it plans to devolve the IANA press accounts that the United States decided not to use
function to ICANN in the future, no state has thus far found cyber adjuncts in Iraq, Libya and elsewhere, because
it would benefit from ceasing to comply. The development of uncertainties about civilians and collateral damage
of standards is advanced primarily by non-state actors, (Schmitt and Shanker 2011; Markoff and Shanker 2009).
such as the IETF, the W3C, the IEEE and others, where Thus, compliance is judged with these norms as mixed.
states and voting have minimal effect. This is the area of
cyber where the concept of multi-stakeholderism is most According to press accounts, there is extensive use of cyber
apparent. espionage by a wide variety of states and non-state actors.
While espionage is an ancient practice that is not against
Crime might seem to be the next likely sub-issue to be international law, it often violates the domestic laws of
susceptible to regime formation. The issue has a loose sovereign states. Traditionally (for example, in the US-
fabric in which spammers, criminals and other free riders Soviet competition during the Cold War), rough “rules of
impose large costs on both states and private actors. The the road” led to reciprocal expulsions and reductions in
Budapest convention provides a coherent structure with diplomatic missions as a means of regulating the friction
depth, but its breadth has been limited by its origins in created by espionage. Thus far, cyber espionage is so easy
Europe. Many post-colonial countries and authoritarian and relatively safe that no such rules of the road have
countries such as Russia and China object to obligations been developed. The United States has complained about
that they see as intrusions on their sovereignty as well Chinese cyber espionage that steals intellectual property,
as the European origin of the norms. Some developing and raised the issue at the summit between US President
countries also see little to gain by joining, as few of their Barack Obama and President of the People’s Republic of
national companies would benefit, while they fear the China Xi Jinping in June 2013. However, the US effort to
potentially high costs of enforcement, should they to create a norm that differentiates spying for commercial
become signatories. Moreover, some private companies gain from all other spying has been lost in the noise created
find it is in their economic interest to hide the extent to by the revelations of extensive National Security Agency
which they have been victimized and simply absorb it (NSA) surveillance released by Snowden (Goldsmith
as a business cost, rather than suffer reputational and 2013). Moreover, normative efforts have been plagued
regulatory costs. States may also think that the costs are by the loose fabric of the issue. Although the exposure
not high enough to merit action — even if cybercrime of Chinese spying in 2013 by Mandiant suggested a clear
costs US$400 billion, it is still only 0.05 percent of global government connection, many other instances are more
GDP. Thus, insurance markets are difficult to develop ambiguous about whether they are by government or non-
and compliance is far from satisfactory. This may change state actors (Sanger, Barboza and Perlroth 2013).
in the future if the costs of cybercrime increase, given its
sophistication and scope. Despite differences over what Privacy is a sub-issue of growing importance given the
information activities constitute a crime in authoritarian increases in computing power and storage that are often
and democratic countries, cooperation could be modelled summarized as the “era of big data.” There are widespread
concerns about companies, criminals and governments
storing and misusing personal data. At the same time, in

10 • CENTRE FOR INTERNATIONAL GOVERNANCE INNOVATION • CHATHAM HOUSE

 The Regime Complex for Managing Global Cyber Activities

the age of social media, there are changing generational protected online. Within the declaration, however, there is
attitudes in many societies about where to draw the a potential tension between Article 19 (freedom of opinion
appropriate lines between public and private. Private and expression) and Article 29 (public order and general
terms-of-service agreements are often cumbersome and welfare). On the other hand, different states interpret the
opaque to consumers. Additionally, personal identification declaration in different ways, and authoritarian states
information, once on the Internet, can end up in numerous that feel threatened by freedom of speech or assembly
places, rendering futile most efforts to have the initial make no exceptions for the Internet. The US government
posting site remove it. At the same time, European efforts has proclaimed an Internet freedom agenda, but has not
to enforce a “right to be forgotten” with legal excisions of explained whether this includes a right of privacy for
history have raised concerns among some civil libertarians. foreigners. This agenda has also been complicated in the
The concept of privacy is poorly defined and understood, wake of the Snowden revelations. In 2011, the Netherlands
and has very different legal structures in Europe and the held a conference that launched a Freedom Online
United States, not to mention authoritarian states (see Coalition, which now includes 22 states committed to
Brenner 2014). Thus, it is not surprising that while there human rights online, but the disparities in behaviour led
are conflicting norms, the normative structure for the sub- to the conclusion that the normative structure in this sub-
issue lacks depth, breadth or compliance. issue lacks depth, breadth or compliance. Nonetheless,
the loose fabric of the issue allows ample opportunity for
Content control is another sub-issue with conflicting non-state actors to press for human rights in cyberspace.
norms with little depth or breadth. For authoritarian For instance, the civil society organization Global Network
states, information that crosses borders by any means and Initiative has been pressing private companies to sign
jeopardizes the stability of a regime is a threat. The SCO has, up to principles that advance transparency and respect
therefore, expressed a concern about information security, human rights (MacKinnon 2012, chapter 14).
and Russia and China have proposed UN resolutions to
that effect. In practice, authoritarian countries filter such THE FUTURE DYNAMICS OF THE
threatening messages and would like to have a normative
structure that would encourage other states to comply. CYBER REGIME COMPLEX
But the United States could not stop a Falun Gang email
Given the youth of the issue and the volatility of the
to China without violating the free speech clauses of the
technology, there are many potential paths along which
US Constitution. This is why democratic countries refer to
cyber norms may evolve. Regime theorists have developed
cyber security and argue against the control of the content
three quite different causal models that tend to complement
of Internet packets.
each other. Realists argue that regimes are created and
At the same time, democratic countries do control some sustained by the most powerful state. Such hegemons
content. Most try to stop child pornography but are have the incentive to provide public goods and discipline
divided on issues such as hate speech, and many Internet free riders because they will benefit disproportionately.
corporations have been caught between conflicting national But, as their power ebbs, the maintenance of regimes
legal systems. Moreover, this sub-issue has a loosely woven becomes more difficult (Gilpin 1987). From this point of
fabric and various private groups create black and gray view, the declining US control of the Internet suggests
lists of what they regard as violators of various norms. future fragmentation.
In some cases, these vigilantes have been able to borrow
A second approach, liberal institutionalism, emphasizes
the authority of government (Mueller 2010, chapter 9).
the rational self-interest of states seeking the benefits
Copyright is another important area related to content
of cooperative solutions to collective action problems.
control. For example, the proposed Stop Online Piracy
Regimes and their institutions help states achieve benefits
Act in the US Congress would have required Web hosting
by providing information and reducing transactions costs.
companies, search engines and ISPs to sever relations
They cut contracting costs, provide focal points, enhance
with websites and users found in violation of copyright.
transparency and credibility, monitor compliance and
While such measures have met with strong resistance, it is
provide a basis for sanctioning deviant behaviour (Keohane
likely they will remain contentious both in domestic and
1984). This approach helps to explain why a regime exists
transnational politics. Thus, there is no depth, breadth or
for the DNS where perceived interests in cooperation are
widespread compliance with a normative structure for
high, while a regime does not exist in the sub-issue of
content control.
espionage where interests diverge significantly.
Human rights is a cyber sub-issue that has many of the
A constructivist set of theories emphasizes cognitive
same problems of conflicting values that plague content
factors, such as how constituencies, groups and social
control, but there is an overriding legal structure in the form
movements change the perception and organization of
of the Universal Declaration of Human Rights. Moreover,
their interests over time (Ruggie 1998). It is a cliché that
in June 2012, the UN Human Rights Council affirmed
states act in their national interest. The important question
that the same rights that people have off-line must also be

Joseph S. Nye, Jr. • 11

GLOBAL COMMISSION ON INTERNET GOVERNANCE Paper Series: no. 1 — May 2014

is how those interests are perceived and implemented. accompanied the Russian disruption of Estonia in 2007
This is particularly important in the cyber domain, where and invasion of Georgia in 2008; the establishment of the
the technology is new, and states are still struggling to American Cyber Command in 2009; and the discovery
understand and define their interests. In a chronological of Stuxnet in 2010. Others point to the 2013 Snowden
analogy, state learning of interests in the cyber domain is revelations that the NSA not only carried out espionage
equivalent to about the year 1960, in what was then a new (which is not new or unique), but allegedly subverted
technology of nuclear weapons and nuclear energy (Nye encryption standards and open-source software. Some
2011a). It was not until 1963 that the first arms control treaty technologists believe that trust can be rebuilt from the
was ratified — the atmospheric test ban — and 1968 that bottom up with new software technologies, as well as
the Non-Proliferation Treaty was signed. The situation in procedures for inspection of hardware supply chains.
cyber is made more complex by the much greater roles of a Others argue that low trust will be a persistent condition
diverse set of private and non-profit actors responding to and it will exacerbate a fragmenting trend toward greater
rapid social and economic change. Transnational epistemic control by sovereign states (see Schneier 2013).
communities of people and groups that share ideas and
outlooks — such as ISOC and the IETF — play important Some analysts reinforce their pessimistic projections
roles (Adler and Haas 1992). Over time, the extent and by pointing to realist theories about the decline of US
interests of these cyber epistemic communities has grown. hegemony over the Internet. In its early days, the Internet
Cognitive theories help to explain the evolution of norms, was largely American, but today, China has twice as
but also why there is considerable fragmentation in the many users as the United States. Where once only roman
normative structures of sub-issues like privacy, content characters were used on the internet and HTML tags
control and human rights. were based on abbreviated English words, now there are
generic top-level domain names in Chinese, Arabic and
Optimists about the development of norms in the cyber Cyrillic scripts, with more alphabets expected to come
regime complex can point to some recent evidence of online shortly (ICANN 2013). And in 2014, the United
progress. For example, the disagreement between the States announced that it would relax its Department
sovereigntist and multi-stakeholder philosophies seemed of Commerce’s supervision of ICANN and the IANA
somewhat less stark at the NETmundial conference in function. Some experts worried that this would open the
Sao Paolo, Brazil in 2014 than at the WCIT conference in way for authoritarian states to try to exert control over
Dubai in 2012. Moreover, while early meetings of the GGE the system of root zone servers, and use that to censor the
were unable to reach consensus, the latest meeting reached addresses of opponents.
agreement on a number of points, including the principle
that international laws of war applied to cyberspace. In Such fears seem exaggerated both on technical grounds
addition, the number of states acceding to the Council and in their underlying premises. Not only would such
of Europe’s Convention on Cybercrime has gradually censorship be difficult, but, as liberal institutionalist
increased, and INTERPOL has established a cybercrime theories point out, there are self-interested grounds for
centre in Singapore. Forty-one states have agreed to use states to avoid such fragmentation of the Internet. In
the Wassenaar Arrangement on Export Controls for addition, the descriptions in the decline in US power
Conventional Arms and Dual-Use Goods and Technologies in the cyber regime are overstated. Not only does the
to stop sales of spyware to authoritarian countries. There United States remain the second-largest user of the
has been an increase in international and transnational Internet, but it is also the home of eight of the 10 largest
cooperation among CERTs. Before the recent dispute over global information companies (Statista 2013).5 Moreover,
Ukraine, the United States and Russia agreed that their when one looks at the composition of voluntary multi-
hotline arrangements would be extended to cyber events. stakeholder communities such as the IETF, one sees a
The United States and China established an official working disproportionate number of Americans participating for
group on cyber in 2013. Numerous track two groups and path dependent and technical expertise reasons. From an
various private conferences and commissions continued institutionalist or constructivist viewpoint, the loosening
to work on the development of norms. Industry groups of US influence over ICANN could be seen as a strategy
continued to work on standards regarding everything for strengthening the institution and reinforcing the
from undersea cable protection to financial services. And American multi-stakeholder philosophy rather than as a
non-profit groups pressed companies and governments to sign of defeat (Zittrain 2014).
protect privacy and human rights.
It is interesting to look at the experience of other regimes
Conversely, pessimists about normative change in the when US pre-eminence diminished in an issue area. In
cyber regime complex point to the overall decline of the trade, for example, the United States was by far the largest
trust that is so important in the issue area. Some observers trading nation when the General Agreement on Tariffs and
date this loss to what they see as the militarization
of cyberspace symbolized by: the DDOS attacks that 5 Note that Yahoo and Yahoo-Japan have been treated as one entity for
the purposes of company rankings.

12 • CENTRE FOR INTERNATIONAL GOVERNANCE INNOVATION • CHATHAM HOUSE

 The Regime Complex for Managing Global Cyber Activities

Trade (GATT) was created in 1947, and the United States CONCLUSIONS
deliberately accepted trade discrimination by Europe and
Japan as part of its Cold War strategy. After those countries Predicting the future of the normative structures that will
recovered, they joined the United States in a club of like- govern the various issues of cyberspace is difficult because
minded nations within the GATT (Keohane and Nye of the newness and volatility of the technology, the rapid
2001). In the 1990s, as other states’ shares of global trade changes in economic and political interests, and the social
increased, the United States supported the expansion and generational cognitive evolution that is affecting how
of GATT into the WTO, and the club model became state and non-state actors understand and define their
obsolete. The United States supported Chinese accession interests. While the explanations are complementary, it
to the WTO and China surpassed it as the world’s largest seems likely that liberal institutionalist and cognitive
trading nation. While global rounds of trade negotiations regime theories will provide better tools for understanding
became more difficult to accomplish and various free trade those changes than oversimplified theories of hegemonic
agreements proliferated, the rules of the WTO continued transition.
to provide a general framework where the norm of most
favoured nation status and reciprocity created a structure One projection does seem clear. It is unlikely that there
where particular club deals could be generalized to a will be a single overarching regime for cyberspace any
larger number of countries. Moreover, new entrants, such time soon. A good deal of fragmentation exists now and
as China, found it in their interests to observe even adverse is likely to persist. The evolution of the present regime
judgments of the WTO dispute settlement process. complex, which lies halfway between a single coherent
legal structure and complete fragmentation of normative
Similar to the non-proliferation regime, when the United structures, is more likely. Different sub-issues are likely
States had a nuclear monopoly in the 1940s, it proposed to develop at different rates, with some progressing and
the Baruch Plan for UN control, which the Soviet Union some regressing in the dimensions of depth, breadth
rejected in order to pursue it own nuclear weapons. In the and compliance. Some areas, such as crime, in which
1950s as nuclear technology spread, the United States used states have common interests against third-party free
the Atoms for Peace program, coupled with inspections riders, seem ripe for interstate agreement, even if only an
by the new International Atomic Energy Agency, to try to agreement to assist in legal and forensic efforts (Tikk 2011).
separate the peaceful from weapons purposes. During the Other issues, such as privacy, may see compromises in the
1960s, the five nuclear weapon states negotiated the Non- context of trade negotiations, which apparently have no
Proliferation Treaty, which promised peaceful assistance to direct connection with the cyber area. And some areas,
states that accepted a legal status of non-nuclear weapon such as war, may not be susceptible to formal arms control
states. In the 1970s, after India’s explosion of a nuclear agreements, but may see the evolution of declaratory policy,
device and the further spread of technology for the confidence-building measures and rough rules of the road.
enrichment and reprocessing of fissile materials, the United Rather than global agreements, like-minded states may
States and like-minded states created a Nuclear Suppliers act together to avoid destabilizing behaviour, and later
Group that agreed “to exercise restraint” in the export of try to generalize such behaviour to a broader group of
sensitive technologies, as well as an International National actors through means ranging from formal negotiation to
Nuclear Fuel Cycle Evaluation, which called into question development assistance. Whatever the outcomes, analysts
the optimistic projections about the use of plutonium fuels. interested in the development of normative structures
While none of these regime adaptations were perfect, and for the governance of cyberspace should avoid the over-
problems persist with North Korea and Iran today, the net simplified popular dichotomies of a “war” between the
effect of the normative structure was to slow the growth in ITU and ICANN. Instead, they would do better to view the
the number of nuclear weapon states from the 25 expected problems in the full complexity offered by regime theories
in the 1960s to the nine that exist today (see Nye 1981). In and the concept of regime complexes.
2003, the United States launched the Proliferation Security
Initiative, a loosely structured grouping of countries ACKNOWLEDGEMENTS
that shares information and coordinates efforts to stop
trafficking in nuclear proliferation-related materials. I am indebted to Amelia Mitchell for research assistance,
and to Laura DeNardis, Fen Hampson, Melissa Hathaway,
In short, projections based on realist theories of hegemony Roger Hurwitz, James Lewis, Robert O. Keohane,
are based on poorly specified indicators of change (see Alexander Klimberg, John Mallery, Tim Maurer, Bruce
Nye 2011b, chapter 6). Even after monopolies over a new Schneier and Jonathan Zittrain for comments.
technology erode, it is possible to develop normative
frameworks for governance of an issue area.

Joseph S. Nye, Jr. • 13

GLOBAL COMMISSION ON INTERNET GOVERNANCE Paper Series: no. 1 — May 2014

WORKS CITED Goldsmith, Jack and Tim Wu. 2006. Who Controls the
Internet? Illusions of a Borderless World. Oxford: Oxford
Adler, Emmannuel and Peter M. Haas. 1992. “Conclusion: University Press.
Epistemic Communities, World Order, and the Creation
of a Reflective Research Program.” International Hardin, Garrett. 1968. “The Tragedy of the Commons.”
Organization 46 (1): 367–90. Science 162 (3859).

Blumenthal, Marjory and David D. Clark. 2009. “The Hasenclever, Andrea, Peter Mayer and Volker Rittberger.
Future of the Internet and Cyberpower.” In Cyberpower 1997. Theories of International Regimes. Cambridge:
and National Security, edited by Franklin D. Kramer, Cambridge University Press.
Stuart Starr and Larry K. Wentz. Washington, DC: Hurwitz, Roger. 2009. “The Prospects for Regulating
National Defense University Press. Cyberspace.” Unpublished paper. November.
Brenner, Joel. 2013. “Mr. Wemmick’s Condition; or Privacy ICANN. 2013. “Internet Domain Name Expansion Now
as a Disposition, Complete with Skeptical Observations Underway.” News release, October 23. www.icann.org/
Regarding Various Regulatory Enthusiasms.” Lawfare en/news/press/releases/release-23oct13-en.
Research Paper Series 2 (1): 1–43.
Keohane, Robert O. 1984. After Hegemony: Cooperation and
Choucri, Nazli. 2012. Cyberpolitics in International Relations. Discord in the World Political Economy. Princeton, NJ:
Cambridge: MIT Press. Princeton University Press.
Clarke, Richard A. and Robert K. Knake. 2012. Cyber War: Keohane, Robert O. and Joseph S. Nye. 1977. Power and
The Next Threat to National Security and What to Do About Interdependence. Boston: Little, Brown.
It. New York: Ecco.
———. 2001. “Between Centralization and Fragmentation:
Council of Europe Convention on Cybercrime. 2014. The Club Model of Multilateral Cooperation and
“Convention on Cybercrime CETS No.: 185.” Problems of Democratic Legitimacy.” John F. Kennedy
http://conventions.coe.int/Treaty/Commun/ School of Government, Harvard University Faculty
ChercheSig.asp?NT=185&CM=8&DF=&CL=ENG. Research Working Paper Series, RWP01-004.
CSIS. 2008. Securing Cyberspace for the 44th Presidency: A Keohane, Robert O. and David G. Victor. 2011. “The Regime
Report of the CSIS Commission on Cybersecurity for the Complex for Climate Change.” Perspectives on Politics 9.
44th Presidency. Washington, DC: CSIS.
Klimburg, Alexander. 2013. “The Internet Yalta.”
Deibert, Ronald J. and Rafal Rohozinski. 2010. “Risking Center for a New American Security Commentary.
Security: Policies and Paradoxes of Cyberspace www.cnas.org/sites/default/files/publications-
Security.” International Political Sociology 4 (1). pdf/CNAS_WCIT_commentary%20corrected%20
Demchak, Chris C. and Peter Dombrowski. 2011. “Rise of %2803.27.13%29.pdf.
a Cybered Westphalian Age.” Strategic Studies Quarterly Krasner, Stephen, ed. 1983. International Regimes. Ithaca,
(Spring). NY: Cornell University Press.
DeNardis, Laura. 2014. The Global War for Internet Kuehl, Daniel T. 2009. “From Cyberspace to Cyberpower:
Governance. New Haven: Yale University Press. Defining the Problem.” In Cyberpower and National
Garamone, Jim. 2014. “Hagel Thanks Alexander, Cyber Security, edited by Franklin D. Kramer, Stuart Starr
Community for Defense Efforts.” American Forces and Larry K. Wentz, 26–28. Washington, DC: National
Press Service, March 28. www.defense.gov/news/ Defense University Press.
newsarticle.aspx?id=121928. Lewis, James A. and Stewart Baker. 2013. The Economic
Gilpin, Robert. 1987. “The Theory of Hegemonic Stability.” Impact of Cybercrime and Cyberespionage. CSIS report.
Understanding International Relations: 477–84. h t t p : / / c s i s . o rg / f i l e s / p u b l i c a t i o n / 6 0 3 9 6 r p t _
cybercrime-cost_0713_ph4_0.pdf.
Goldsmith, Jack. 2013. “Reflections on U.S. Economic
Espionage, Post-Snowden.” Lawfare, December 10. Libicki, Martin. 2009. Cyberdeterrence and Cyberwar. Santa
www.lawfareblog.com/2013/12/reflections-on-u-s- Monica: RAND.
economic-espionage-post-snowden/. MacKinnon, Rebecca. 2012. Consent of the Networked: The
Worldwide Struggle for Internet Freedom. New York: Basic
Books.

14 • CENTRE FOR INTERNATIONAL GOVERNANCE INNOVATION • CHATHAM HOUSE

 The Regime Complex for Managing Global Cyber Activities

Markoff, John and Thom Shanker. 2009. “Halted ’03 Iraq Schmitt, Eric and Thom Shanker. 2011. “U.S. Debated
Plan Illustrates U.S. Fear of Cyberwar Risk.” The New Cyberwarfare in Attack Plan on Libya.” The New York
York Times, August 1. www.nytimes.com/2009/08/02/ Times, October 17. www.nytimes.com/2011/10/18/
us/politics/02cyber.html. world/africa/cyber-warfare-against-libya-was-
debated-by-us.html.
Maurer, Tim. 2011. “Cyber Norm Emergence at the
United Nations — An Analysis of the UN’s Activities Schmitt, Miachael N., ed. 2013. Tallinn Manual on the
Regarding Cyber-security?” Belfer Center for Science International Law Applicable to Cyber Warfare. Cambridge:
and International Affairs, Harvard Kennedy School Cambridge University Press.
Discussion Paper 2011-11.
Schneier, Bruce. 2013. “The Battle for Power on the Internet.”
Morse, Julia and Robert O. Keohane. Forthcoming. The Atlantic, October 24. www.theatlantic.com/
“Contested Multilateralism.” The Review of International technology/archive/2013/10/the-battle-for-power-
Organizations. on-the-internet/280824/.

Mueller, Milton. 2010. Networks and States. Cambridge, Sofaer, Abraham D., David Clark and Whitfield Diffie.
MA: MIT Press. 2010. “Cyber Security and International Agreements.”
In Proceedings of a Workshop on Deterring Cyberattacks:
———. 2012. “ITU Phobia: Why WCIT Was Derailed.” Informing Strategies and Developing Options for U.S.
Internet Governance Project. www.internetgovernance. Policy, edited by Committee on Deterring Cyberattacks:
org/2012/12/18/itu-phobia-why-wcit-was-derailed/. Informing Strategies and Developing Options and National
Research Council. Washington, DC: National Academies
Nye, Joseph S. 1981. “Maintaining the Non-Proliferation
Press.
Regime.” International Organization: 15–38.
Starr, Stuart H. 2009. “Toward a Preliminary Theory of
———. 2011a. “Nuclear Lessons for Cyber Security.”
Cyberpower.” In Cyberpower and National Security,
Strategic Studies Quarterly: 18–38.
edited by Franklin D. Kramer, Stuart Starr and Larry K.
———. 2011b. The Future of Power. New York: PublicAffairs. Wentz. Washington, DC: National Defense UP.

Ostrom, Elinor. 2009. “A General Framework for Analyzing Statista. 2013. “Market Value of the Largest Internet
Sustainability of Social-Ecological Systems.” Science Companies Worldwide as of May 2013 (In Billion
325. U.S. Dollars).” Statista. www.statista.com/
statistics/277483/market-value-of-the-largest-internet-
Ostrom, Elinor, Joanna Burger, Christopher Field, Richard companies-worldwide/.
Norgaard and David Policansky. 1999. “Revisiting the
Commons: Local Lessons, Global Challenges.” Science Tikk, Eneken. 2011. “Ten Rules for Cyber Security.” Survival
284 (5412). 53 (3): 119–32.

Raymond, Mark. 2013. “Puncturing the Myth of the Internet WGIG. 2005. Report of the Working Group on Internet
as a Commons.” Georgetown Journal of International Governance. Château de Bossey: WGIG. www.wgig.org/
Affairs Special Issue: 5–15. docs/WGIGREPORT.pdf.

Rid, Thomas. 2013. Cyber War Will Not Take Place. New Zittrain, Jonathan. 2008. The Future of the Internet and How
York: Oxford University Press. to Stop It. New Haven: Yale University Press.

Ruggie, John Gerard. 1982. “International Regimes, ———. 2014. “No Barack Obama Isn’t Handing Control
Transactions, and Change: Embedded Liberalism in the of the Internet Over to China.” The New Republic (224).
Postwar Economic Order.” International Organization
36 (2).

———. 1998. “What Makes the World Hang Together?

Neo-utilitarianism and the Social Constructivist
Challenge.” International Organization 42 (4): 855–85.

Sanger, David E., David Barboza and Nicole Perlroth. 2013.

“Chinese Army Unit Is Seen as Tied to Hacking Against
U.S.” The New York Times, February 18. www.nytimes.
com/2013/02/19/technology/chinas-army-is-seen-as-
tied-to-hacking-against-us.html?pagewanted=all.

Joseph S. Nye, Jr. • 15

ABOUT CIGI
The Centre for International Governance Innovation is an independent, non-partisan think tank on international
governance. Led by experienced practitioners and distinguished academics, CIGI supports research, forms networks,
advances policy debate and generates ideas for multilateral governance improvements. Conducting an active agenda
of research, events and publications, CIGI’s interdisciplinary work includes collaboration with policy, business and
academic communities around the world.

CIGI’s current research programs focus on three themes: the global economy; global security & politics; and international
law.

CIGI was founded in 2001 by Jim Balsillie, then co-CEO of Research In Motion (BlackBerry), and collaborates with and
gratefully acknowledges support from a number of strategic partners, in particular the Government of Canada and the
Government of Ontario.

Le CIGI a été fondé en 2001 par Jim Balsillie, qui était alors co-chef de la direction de Research In Motion (BlackBerry). Il
collabore avec de nombreux partenaires stratégiques et exprime sa reconnaissance du soutien reçu de ceux-ci, notamment
de l’appui reçu du gouvernement du Canada et de celui du gouvernement de l’Ontario.

For more information, please visit www.cigionline.org.

ABOUT CHATHAM HOUSE

Chatham House, the Royal Institute of International Affairs, is based in London, UK. Chatham House is a world-leading
source of independent analysis, informed debate and influential ideas on how to build a more prosperous and secure
world for all. Chatham House produces independent and rigorous analysis of critical global, regional and country-
specific challenges and opportunities, while offering new ideas to decision-makers and -shapers on how these could best
be tackled from the near- to the long-term. To learn more about Chatham House’s research on cyber security, please visit:
www.chathamhouse.org.

CIGI MASTHEAD
Managing Editor, Publications Carol Bonnett

Publications Editor Jennifer Goyder

Assistant Publications Editor Vivian Moser

Media Designer Steve Cross

EXECUTIVE
President Rohinton Medhora

Vice President of Programs David Dewitt

Vice President of Public Affairs Fred Kuntz

Vice President of Finance Mark Menard

COMMUNICATIONS
Communications Specialist Kevin Dias kdias@cigionline.org (1 519 885 2444 x 7238)

Public Affairs Coordinator Erin Baxter ebaxter@cigionline.org (1 519 885 2444 x 7265)
10 St James’s Square
London, England SW1Y 4LE, United Kingdom
tel +44 (0)20 7957 5700 fax +44 (0)20 7957 5710
www.chathamhouse.org
 April 2017

IoT, Automation, Autonomy, and

Megacities in 2025: A Dark Preview
Michael Assante and Andrew Bochman 1

Preface
This paper extrapolates from present trends to describe plausible future crises playing out in
multiple global cities within 10 years. While predicting the future is fraught with uncertainty, much
of what occurs in the scenarios that follow is fully possible today and absent a significant course
change, probable in the timeframe discussed.

It is not hard to find tech evangelists touting that ubiquitous and highly interconnected digital
technology will bring great advances in productivity and efficiency, as well as new capabilities we
cannot foresee. This paper attempts to reveal what is possible when these technologies are applied
to critical infrastructure applications en masse without adequate security in densely populated
cities of the near future that are less resilient than other environments. Megacities need and will
deploy these new technologies to keep up with insatiable demand for energy, communications,
transportation, and other services, but it is important to recognize that they are also made more
vulnerable by following this path. 2

To illustrate what these eventualities could look like, we have constructed four scenarios for the
not-too-distant future (2025) that lay out some of the more extreme risks we may face in an all-
digital world.

1Authors’ caveat: we are not commenting on specific organizations or technology deployments.

2 The authors are fans of predictive technologies and machine learning systems—given growing populations and scarce
resources, these technologies will be essential for our collective future. This paper is meant to make people aware that
even well-balanced systems will be susceptible to perturbations that can grow large as we centralize learning and
connect the many things. System owners, city planners, and technology communities and innovators need to consider
these in their designs and investments. We also want the world’s innovators to take notice of the opportunity to change
these stories. They can be different if defenders can harness the power of the analysis to quickly determine unauthorized
changes (tampering and experimentation) and use machine learning to spot patterns. Our call to action is for innovators
to make corresponding investments and advancements to leverage the breakthroughs in cognitive systems and data and
apply these capabilities to analyze and predict security-related outcomes.
2 | Michael Assante and Andrew Bochman

Introduction: Setting the Stage

Looking back, we can discern the root causes of the events we’re about to summarize. There was
lots of excitement about what the Internet of Things (IoT), as it was called back then, was going to
do for humanity. Here’s Marc Andreessen, one of the first Internet pioneers, thinking out loud and
with no small amount of optimism, in 2016:

The photos are all going, “Hey,” and the plate goes and refills itself and brings you fresh
food, and your beer mug tells you you’re drinking too much. Everything is just smart. This is
my view of the Internet of Things: you’re able to infuse intelligence into everything, you’re
able to put a chip in everything, you’re able to put software in everything, you’re able to
connect everything online and just everything is a lot smarter. The doorknob is a lot
smarter, and the lightbulb is a lot smarter, and your wristwatch is a lot smarter. Everything
starts to get really, really smart.

On the role of technology in improving the human condition, techno utopianism has been soundly
besting ludditism going on two centuries now, and the world of late 2025, with its autonomous
vehicles, fully integrated smart cities, deep virtual and augmented realities, and artificial intelligence
getting ever closer to human-parity general intelligence, is the result.

With that said, what’s transpired around the world just this past year has got to give pause to even
the most ardent optimists. Compiled below are the unnerving events witnessed in four of the
planet’s largest and most important cities as reported by the local media and then deconstructed
by an artificial intelligence (AI)-assisted omniscient cyber forensicist. In all it’s clear that the
technologies that helped the infrastructure managers of these cities handle the almost
incomprehensibly complex operations of a modern megacity were also the root cause (or at a
minimum, the enabler) of the disasters that befell them. Undoubtedly, cyber attackers played a
greater or lesser role in getting these crises rolling, but it appears that despite decades of warnings,
in the name of progress we’ve made things ever so easy for them. Now all we can hope for is that
we learn from these experiences and implement changes as quickly as possible, knowing full well
that change in infrastructure matters never comes quickly.

City Scenario I: Bangkok

Dispatch

Bangkok Post, Wednesday, April 23, 2025, Midnight—On a normal day, most residents of Bangkok
could expect clean water to flow from their faucets and their toilets to flush. Bold infrastructure
engineering work done in the late nineteenth century supported public health improvements that
led to ever-larger populations. Population growth in turn put stress on the systems and was
relieved by subsequent waves of engineering imagination and excellence. Some of the world’s
largest, most efficient water treatment plants have given this city some of the most affordable,
mainly clean water in Asia.
 IoT, Automation, Autonomy, and Megacities in 2025 | 3

However, as of five days ago, nothing in this sprawling city of 30 million has been normal:

● Multiple fires raging out of control when fire hydrants couldn’t produce water

● Industrial businesses shuttered because they couldn’t make their products without reliable
water supplies

● Foul water coming out of faucets, spilling forth from toilets in apartments and on the streets
from manhole covers

● And perhaps worst is that some power plants in and around the city are running at reduced
capacity due to having less of the water they require for cooling, and power outages are
undermining all efforts to restore order.

After years of droughts brought groundwater to historically low levels, a few days ago reports of
low and then no water pressure started coming in from households, businesses, and government
offices. By early evening the state-run Metropolitan Waterworks Authority (MWA) issued a
statement saying it had lost control over the majority of the pumps responsible for maintaining
water pressure, as well as its operator consoles, and was investigating the issue.

Throughout this ordeal, the governor of Bangkok tried to keep a calm face. But today he appeared
to lose his courage. On the Royal Thai Army’s Channel 7, the mayor said:

People of Krung Thep, I realize many of you cannot hear my message, but for those who
can, I strongly urge you to be strong, and carry on with as much faith and discipline as you
can muster. It appears we may be the victims of an unprecedented cyber attack on our
water infrastructure. The smartest engineers in our city are working day and night to
understand the full extent of the attack and with luck, will restore water, electricity, order,
and hope to our city as soon as possible. Otherwise, I am not sure what will become of us.

Tomorrow will be day six. With order breaking down, the Army trying to help the police keep the
growing riots in check, and with bottled water reserves almost depleted, we can only pray the
engineers will have success soon.

Omniscient Forensic Analysis

The roots of the problem began earlier that April when a water authority engineer received a file
from a collaboration platform used for getting new files from the city’s primary water service
infrastructure automation vendor. The file appeared to correspond to a firmware update posted on
the vendor’s knowledge portal indicating it was required to patch a memory leak problem. Once
downloaded, the file was then transferred from the engineer’s laptop to three engineering
workstations.

It only took seconds for the attackers’ command-and-control system to find the signal emanating
from the Trojan contained in the file. Almost immediately, additional implants made their way
4 | Michael Assante and Andrew Bochman

undetected on to the target workstations and began to exfiltrate the information needed to seed
the necessary changes to system software. That was the software residing on actuators and
digitally controlled pumps throughout the sprawling water system serving central Bangkok and
surrounding districts.

While remaining undetected, the attackers eventually learned enough to capture the digital
credentials they needed to manage the IT and operational technology (OT) infrastructure. Data
stolen from both the business network and the water Supervisory Control and Data Acquisition
(SCADA) network provided the keys needed to focus the attackers’ engineering efforts. It took
three months, but testing proved their bricking 3 payloads would load successfully 90 percent of
the time and result in irrecoverable device shutdowns. Staging the automatic software loads was
now the only step to be completed.

When the first attack came, the Bangkok water system experienced several waves of destruction as
malicious firmware was propagated to digital systems, including variable-speed drives required for
pumps and communication devices throughout their water transmission and distributed system.
Engineering teams were getting good at using analytics to predict failures and deal with
probabilistic failures in the system, but the scale of these failures was never seen before.
Equipment failures spanned from distribution pumping stations, water treatment plants and
chemical feeding systems, to transmission pumping stations. The attackers were able to shut down
pumping at five key stations rapidly depressurizing the entire water distribution system and setting
off an overwhelming onslaught of alarms at the water control center. Programmable logic
controllers (PLCs) began to report errors before their symbols went gray on operator consoles.
First the pumps, then the routers and modems, and finally the controllers were lost.

Work crews were unable to quickly repower units, to say nothing of the systems that were in a
bricked state. System planners ran through dusty plans for restoring the system by using older
pumps found in outlying stations. A crisis soon developed as newer systems to measure water
quality were no longer feeding data up to the quality analysis application running in the private
cloud. The water-quality checkpoints failed to report data and vital components failed in the
elaborate array of automatic chlorine feeding systems. The overflow of sewage was now
threatening water quality throughout the system.

Not only were they blinded, but the operators were robbed of the tools necessary to control water
processing for treatment and pumping. With PLCs no longer functioning, there were also problems
with digital actuators such as discharge and suction valves, variable-speed drives, motor-control
units, and supply and exhaust fans. This was an attack on a previously unprecedented scale, and
the IT group and SCADA support engineers found they did not have the tools for the job or the
ability to touch the staggering number of affected devices. The small IT department was unable to

3 “Bricking” is a term used when a computational device is rendered inoperable or is unable to perform its intended
function. A bricked device would be described as entering a disabled state. A “disabled state” encapsulates any behavior
that deviates from the documented function of the device. Examples can include nonresponsive connectivity ports,
improper I/O function, erroneous status information, or communication by the device that it is in a faulted state.
 IoT, Automation, Autonomy, and Megacities in 2025 | 5

keep up with the reporting and requests for assistance from the Raw Water Development
Department, Treatment Plant Services, and Water Distribution and Control Departments.

Frantic calls to device manufacturers became an all-hands effort as inventories were quickly
exhausted. Devices on the shelf had already been rushed to a central station nearest to the city’s
emergency response center and sports arena.

This cyber-induced crisis had the following roots:

1. Insecure remote connections facilitated the attack

2. Inability to detect intrusions allowed attackers to discover many firmware devices and to
engineer payloads for several different models, allowing for a massive attack

3. Automation and connectivity provided a pathway to find, touch, and deliver firmware
uploads

4. Firmware loading lacked advanced authentication mechanisms

City Scenario II: Shanghai

Dispatch

Xinhua News Service, May 5, 2025, 11:10 pm—At the time of this report, 80 percent of Shanghai’s
transportation system is completely inoperable. The computer systems that manage airports,
airlines, trains, subways, buses, and more have been massively disrupted. Airlines are reporting their
logistics scheduling systems are unstable. The few rail operators we reached are saying they can’t
see the positions of their trains and, in some cases, can’t verify the position of their track switches.
Following established procedures in this state of uncertainty, they stopped all movement. To top it
off, bus and taxi services, both autonomous and with drivers, are unable to keep up with the
unprecedented surge in demand and may be experiencing glitches of their own.

Although the cause is unknown, some opinions are forming. According to Mr. Steve Hu, chairman
of Huawei’s Global Cyber Security and User Privacy Committee:

The scale of this attack on transportation infrastructure seems unprecedented. There can
be little doubt there is a nation state behind this action. Who else could muster the
resources to create so many concurrent impacts on such diverse systems?

In time, we’ll come to know how fast these services can be returned to normal and hopefully
identify the root cause. What we do know for sure: hotels are reporting they are completely full,
more than 3 million people are stranded, and it’s going to be a long night.

Here’s a recap of today’s events. During this evening’s rush hour, subways and trains serving
Shanghai’s Pudong and Hongqiao international airports started running late and then stopped
6 | Michael Assante and Andrew Bochman

running altogether. In short order, concentric rings of similar troubles spread across the greater
Shanghai region. Rail commuters, both residents of the city as well as business people and tourists
from other parts of China and around the world, are utterly stranded. Buses and taxis initially
responded to the huge surge in demand; however, as the 15 million people dependent on trains
and subways turned to these alternatives, they too experienced systems failures that rendered
them nearly useless. One international banker we interviewed said he’s never seen anything like
this:

I was waiting for the 4:15 train to Pudong and even though the monitor said it was arriving,
it never actually came. Eventually I tried hailing a taxi but the app indicated a five-hour wait
time. My flight to Chengdu for work was supposed to depart at 7 pm but now I understand
it was just canceled. I give up. I want to just go home but even that now seems impossible.

Then came the airlines. Chinese airlines including Air China, Shanghai Airlines, and Juneyao Airlines
as well as foreign carriers Delta, Emirates, Singapore Airlines, and others had in recent months
begun reporting intermittent issues with their scheduling and logistics systems. As late afternoon
turned into evening, a clear disruption to air operations led some experts to suspect a coordinated
cyber attack.

The global economy took notice with sharp drops in the Shanghai and Hong Kong indexes and
overseas the DOW and FTSE are falling as well in pre-opening trading. The costs to productivity
seem likely to be massive, as are the ripple effects of unprecedented supply chain disruption.

Omniscient Forensic Analysis

Though contemporaries said the cause was “unknown” but attributed it to terrorist attack, in
retrospect the cause was obvious and not malevolent. High-precision time measurement matters
more than ever in 2025 as larger, more interconnected systems rely on the efficient exchange of
accurate time-stamped data. Many developers had been warned to select their algorithms and
libraries carefully, but not all heeded that advice, and this cascading transportation disruption
began in 100-nanosecond increments before it built into a time typhoon:

• Dynamic power management (DPM) had been rolled out to reduce the costs of paying for
the “electrification of everything”

● Shanghai had witnessed power consumption increasingly shifting from households to

collections of more and more things.

● Widely deployed DPM schemas were used to shut down devices when they were not
needed and to wake them before they were needed to receive/send data or process data

● Industrial Internet of Things (IIoT) implementations had been coded to optimize the
performance of associated devices in an attempt to manage out inefficiencies. A software
update addressed a few known bugs and added an innovative new way to manage DPM
 IoT, Automation, Autonomy, and Megacities in 2025 | 7

● Recent modernization projects allowed the world’s most-used metro to squeeze additional
capacity from the fixed core system and already maxed-out train car-per-track
arrangement

● New optimization software had taken advantage of cheap slap-on instruments to measure
activity in stations and along tracks to handle growing commuter numbers

The inflows from Maglev stations and hand-off stations to other forms of transportation like
airports were synchronized to better control train traffic. The software had already provided results
and slight tweaks were showing more promise under incredible demands to do more with what
was in place. Additional software-based controls allowed system designers to deal with the scale
of more data inputs and larger sensor deployments. “Run trains closer together, safely” was the
motto and driving force for innovation to include upgrading track-positioning sensors, from
passive radio frequency identification (RFID) tags to more powerful multisensor devices that could
include measurements that not only conveyed location, but indications of train loading and
maintenance information. The software was used to coordinate messaging and device power-on
based on advances in predictive analysis and being able to estimate train location while using the
sensors to verify and report. All of this meant Shanghai could keep up with its growing population
and continue to serve as an engine for growth and global investment.

The first failures in trackside instruments, caused by a compounding error that began impacting
instruments weeks after the update had been loaded, were being handled by logic in trackside
controllers and local system estimators. The predictive algorithm worked well, but its insatiable
appetite for data would finally go unmet as trackside devices failed to wake in time to provide
anticipated reports. Trackside controllers could not send necessary outputs and the matching of
train controller-fed locational data began to deviate. The complexity of multiple data sources and
the management of large underground deployments of firmware-based devices had been moved
into software. The DPM software tweak left devices in a sleep state too long resulting in
unanticipated extra controller-initiated communications when devices awoke outside of their
predictive windows.

The predictive applications began to fail and safety logic brought trains to a stop until sufficient
data would allow for the verification logic to solve. The loss of vital data and disruption in train
service quickly cascaded to other transportation elements as passengers became stranded,
stations were occupied to capacity, and data flows between the transit systems and other systems
warned that something was terribly wrong. The larger transportation system-of-systems began to
fail as humans were not where they were supposed to be and data triggered verification routines.
Tremendous amounts of data being sent by automated systems and individual customer requests
for automobile sharing services were overwhelming dispatching applications causing a denial of
service and timely processing.

Human override of the train safety logic in the applications was ruled out and initial forensics was
able to uncover the power management issue. A fallback version of the software was staged and
deployed, but the scale of the instrument failure meant hours were going to spread into tens of
8 | Michael Assante and Andrew Bochman

hours and possibly multiple days. Transit authority maintenance crews had never had to touch so
many devices that quickly. Offers to have military units available to aid in the loading of fallback
software were turned down as the loads were tricky and had to be verified.

If the rippling impacts of stranded commuters were not enough, the congestion of the city’s
cellular network began to stress priority service schemes, eventually leading to network latencies
as voice data and digital messaging began to overwhelm towers and backbones. The technology
implemented to digitize infrastructures had outpaced the cell networks they relied upon. The
traffic models had not anticipated a day anything like this and although the cellular network
remained available the latencies affected smart grid meters and telemetry signals from field
terminal units and digital sensing devices. The congestion resulted in local power management
conflicts that resulted in losing power to sections of the distribution system feeding one of the
airports and associated operational data centers.

The loss of power prompted power meters and non-power IIoT/IoT devices to send “last will and
testament” messages using capacitors for a last joule of energy. The resulting communication
surges piled onto the already-congested network. More congestion resulted in additional spot
power outages. The power disruptions were exacerbated by failures in backup generator and
micro-grid supplies, also due to cellular network congestion. The dependencies between
applications, data, and infrastructures became painfully obvious. It may be many weeks, if not
months, from now before the true chain of events can be mapped out.

City Scenario III: Mexico City

Dispatch

Radio Fórmula Cadena Nacional, July 26, 2025—In other big cities around the world we’ve seen
cyber-attacks on infrastructure spark the devolution of city services and, almost instantaneously,
civil order. What’s playing out here in Mexico’s beloved capital is a reversal of that sequence, with
all-too-familiar city employee strikes that have slowed the city to a crawl for the past few months
setting the stage for something quite out of the ordinary. We Mexicans long ago learned to expect
and tolerate near-crippling bureaucracy and inefficiency. But Mexico City, also known as Ciudad
de la Esperanza, or “The City of Hope,” has been the exception in many ways: exuberant, business-
fueled perpetual motion despite the enervating friction of its incorrigible, corrupt, and bloated
government.

All that, however, seems to have unraveled quickly when tens of thousands of strikers and other
protesters, enraged by the latest round of pay cuts, turned out on the streets and brought the city
to a weeklong standstill. Incessant social media campaigns in support of the strikers were to be
expected as were cyber-attacks of mixed success on city government websites. But when the built
infrastructure started acting as if it were possessed by demons, it became clear that a more
disruptive type of cyber assault might be occurring. It appears now that over the course of
approximately 90 minutes, about half of all the elevators in the city froze, often stuck in between
floors, stranding hundreds, maybe thousands, of people all over the city in truly desperate
 IoT, Automation, Autonomy, and Megacities in 2025 | 9

situations. How the cyber protesters were able to make this happen is anyone’s guess. One thing is
certain though: first responders including police, fire, and assorted facilities engineers were 100
percent occupied when the next crisis hit.

Within a few hours of the start of the elevator troubles, fire alarms and sprinkler systems activated
inexplicably in other buildings, forcing their occupants into the street. One could sense the
beginning of mass panic. With the police fully engaged in frantic rescue attempts across the city
and the military not yet activated, the streets began to boil. It was at about this time that the attack
on Santa Úrsula’s Estadio Azteca turned out the lights, emptying tens of thousands onto already-
jammed streets. The stampedes and barbarism that ensued and expanded from there have left
many thinking there may be no imaginable point of return.

Omniscient Forensic Analysis

Over the last 15 years the operations and maintenance of heavily used machines like elevators and
escalators have been brought into cloud analytic platforms with remote access, diagnostics, and
predictive maintenance. Elevators and escalators are typically out of service two days per year as a
result of planned inspection and maintenance or a malfunction. The collection of diagnostic data
combined with predictive analytics and remote access provides more efficiency in servicing and
enhancing the already high levels of availability. Instruments collect data and feed it over wireless
pathways to communication gateway devices to then reach a controller and head up to a cloud
platform. The cloud platform software provides a view to remotely manage hundreds of thousands
of machines while collecting data from millions of sensors. The local building managers are able to
receive a feed of the transport systems in their facilities and service providers and manufacturers
can monitor machine health and maintenance for an entire fleet. The software aids engineers in
determining if and when technicians need to be sent out, while equipping them with information
for tests and the work that needs to be performed. Sensors can provide vibration, speed, and
temperature data to building managers and service technicians’ smart phones and tablets armed
with maintenance applications.

These global systems harness powerful core analytics, saving money by improving computing
efficiency and machine performance. Engineers on different continents can diagnose faults and
performance irregularities on large numbers of machines each. Centralization has increased
productivity of service providers, but it also provides an adept individual or group with the ability to
remotely interact with many machines at once.

A group of hackers began toying around and found easy ways to make money using their skills.
They were smart and stayed below the radar for the most part. The group acted more like a club
than a gang. The recent social tensions had been a big topic at the lot gatherings. Two of their
members had been experimenting with their apartment building’s automated systems. They found
it comical that wireless network broadcast would advertise central elevator data and west side
cargo elevator. Their explorations brought them into contact with sensor data streams and a host
of IP addressable microcomputers. Some had web interfaces others did not. It was mostly just for
10 | Michael Assante and Andrew Bochman

fun until their explorations uncovered remote connections, and evidence of interactions that came
from mobile phone applications and a central data depository.

When three of the club members were caught up in the strike, they began encouraging other
members to get involved. One of the members was put into the hospital at the hands of riot
control police, and finally the group came together to plan an assault. They used their own
apartment building access to figure out how to access the systems of buildings surrounding the
protests. The idea was simple: dump more people into the streets so the police would need to pull
back and city officials would be forced to negotiate with the strikers.

This handful of hackers fully appreciates the potential consequences of their actions. Their actual
plan was basic: put elevators into shutdown and maintenance modes while removing or changing
IP addresses and configurations so machines could only be restarted onsite. The only thing holding
them back was scale. They had caught the user name and password for three buildings but some
implementations had not been accessed recently. A Google search yielded a hardcoded user
account made by the manufacturer. Then they were in all over the city. Soon, they were knocking
machines off line by the hundreds. The next move was a little more interactive as the group tripped
evacuation alarms from a cracked building management application. The alarms got people
moving, but it was the triggering of the fire-suppression systems based on bad data inputs to temp
sensors that finished the job.

A few hours of play created this chaos and it proved to be enough to tip the city into a prolonged
and brutish emergency with deadly results.

City Scenario IV: New York City (the Grand Finale)

Dispatch

New York Times, Friday, September 19, 2025, 2 pm—In what is already viewed as the worst attack
on New York since 2001, and what may turn out to be many times worse before it’s over, the city
has just been hit with what appears to be a coordinated cyber-physical attack of the kind national
security experts have been warning about for decades. The ultimate costs and causes may never
be known, and it seems the largest and most famous American city will never be the same.

The city of 25 million has just been plunged into what is inarguably its worst blackout of all time.
Historical blackouts (most famously in 1965, 1977, and 2003) were contained to between one and
several days in duration. The current blackout is going into its third full week. All five boroughs are
affected, along with parts of New Jersey, White Plains, and Long Island.

Electricity outages quickly impaired other critical city services like water and sewage,
transportation, communications, and more. Residents with the means to have been streaming out
of the city since July 5 and flooding suburbs to the north and west, as well as inundating Boston,
Baltimore, and Washington, D.C. Drone footage captured this morning offered views that were
nothing short of apocalyptic: stores shuttered and/or looted, street lights out, nonfunctional
 IoT, Automation, Autonomy, and Megacities in 2025 | 11

subways, and gas cars moving fast to avoid organized bands of thieves. New York City, traumatized
once more, is now held together by the National Guard acting under State of Emergency authority.

The day prior looked like it was going to be a typical Friday leading into an Indian Summer
weekend, albeit a hotter one than normal, as summer high temps had been well into the 100s.
Then from most accounts, the 4G and 5G phone and data networks stopped cold, and not just for
residents, but for most businesses and government workers too, and the city shifted with startling
speed from a festive holiday mood to anxiety and then what lies beyond anxiety.

One might have thought there’d be strong backup systems for the wireless systems on which so
much depended, but one public department of public services (DPS) employee we reached shared:

If your backup plan for loss of cellular communications is different cellular

communications, then you have no backup plan . . . and that’s been the plan for years now.

Others put blame on the less-than-reliable renewable energy systems that have been deployed en
masse since the NY REV grid modernization plan took full effect in the late teens and early
twenties. But then the hydro power the city has relied on from Canada should have saved the day,
right? Well it most certainly has not.

It’s hard to say where this is going to end up. The U.S. economy is in shock and the DOW and
global stock markets have declined between 30 and 50 percent since July 7. Right now, your best
bet for New York is to get out if you’re there and stay out if you’re not. The city that never sleeps
has been plunged into a deep coma from which it seems unlikely to ever fully reemerge.

Omniscient Forensic Analysis

The engineers could not fathom how they ended up here. The first quarter of the twenty-first
century ushered in the smart grid, which soon gave rise to the industrial internet and distributed
intelligent microgrids, all of which were coordinated by the cloud-hosted computing grid. The
tremendous complexity of this system of systems was concealed by mathematical algorithms and
data analysis. Beautiful pictures and data displays would tell us where to go and what to do to
maintain it. Modern society became tethered to a digital infrastructure that could not be
catalogued. This digital fabric spread across the globe and was deeply embedded in all things, from
the removal of waste water to the determination of how billions of people might best travel to
work each morning. Cloud computing further united parts of the world. Many argued that
globalization in the physical world had taken a step back in the 2020s, but the cyber world told a
different story.

Some experts had warned about the uniquely potent risk posed by highly targeted and
sophisticated cyber attacks. Several had been observed in other parts of the world that should have
served as a harbinger of sorts, but each time they were dismissed with “it could not happen like
that in America.” Even the insurance industry, wary of such scenarios, did not believe any capable
threat actor would attempt a massively damaging attack, let alone succeed.
12 | Michael Assante and Andrew Bochman

The countdown to disaster began more than a decade ago, with several cyber campaigns that
were discovered and discussed openly in the media, given names like Den of Thieves and Elegant
Frost. They showed that tarnished national pride was offended by a series of Western energy and
trade policies that left them with a smaller share of the new global prosperity. What infuriated them
the most was the prosperity being enjoyed by neighbors, while they began to languish and be
outcompeted.

Their own words warned us—they had felt as if they had been pushed into a corner—but what we
did not know is that, from the corner, the groups could flip several switches. With the Shanghai,
Mexico City, and Bangkok disasters preceding it, the year leading up to what was coined as the
worst cyber attack the world had ever seen was uniquely chaotic and dangerous.

There were already several countries that were dealing with a nasty web of insurrection and
subversive armed intrusions.

The lessons of hybrid warfare borne out in the 2010–2020 timeframe in eastern Europe were
being applied with some effect. It was years of deeply knowing several targeted organizations and
their operations that allowed planners to build their plan. The attackers were well positioned, as
their country had enjoyed a short season of growth and modernization that brought Western and
Chinese firms to upgrade their power systems and cellular networks, and to bring IIoT to their
country. These improvements gave the attackers the ability to understand the system of digital
bricks that the world was building its future upon. It took over a year to engineer an attack, and
months to then position everything in a veil of darkness. Strategic investments in research and
technology programs combined a deep technical understanding of modern satellite and
atmospheric communication networks, automation and control technology, and a chip-level
working knowledge of microcomputer boards.

The attack was prepared and executed in a series of well-synchronized stages.

• Stage 1. It all began with a series of implants in meter and microgrid data aggregators and
select communication gateways. The code was light weight, easily positioned in a few initial
hosts; once in place, it could self-propagate from device to device across the native
communication networks. The only trick was to propagate in a manner where the attack
did not congest its own pathways and did not get so noisy as to reveal itself in large swaths
of traffic where it hit public networks. The simple family of exploits took advantage of an
unknown weakness in the code used to enable web-capable management interface.
Researchers first published the vulnerability four years prior but no one had put the time
into operationalizing a working exploit, or at least no one thought that had happened. The
takeover of hundreds of thousands of power grid meters and power inverters provided a
large homogenous botnet that could quickly overwhelm New York’s telecommunication
networks while refusing remote connection attempts by the utility. If you could even get
through all the traffic, the devices would no longer recognize authentication attempts. This
attack stage created a great deal of confusion while complicating all sorts of
 IoT, Automation, Autonomy, and Megacities in 2025 | 13

communications that relied on shared networks to receive vital data from the many “micro-
processor-based things” that helped the city function.

• Stage 2. The second stage was composed of a few select actions to disrupt power flowing
in and to one of the world’s hungriest load centers. This attack required serious
engineering, but once in place, the code would do all the work. Operational traffic captures
from a few unmanned substations provided a good look at how the utilities being targeted
were applying a common industrial protocol used in SCADA applications. The software
implants had been coded to verify the specific implementation of breaker control before it
began to send commands to RTUs to open remotely operated circuit breakers and de-
energize critical circuits. These precise actions would create pockets of outages pushing
the system closer to stability limits. The loss of load would result in an over frequency
condition that machines would instantly sense and begin to balance. That is when the final
attack would activate.

• Stage 3. The last stage of the attack was timed as a final shot before the other malicious
codes would turn to a final payload module and overwrite memory at a basic level forcing
replacement of the many devices. The long-term prospects of reenergizing the power
system that served the city would become bleak in a matter of seconds. The final shot had a
40–50 percent chance of creating a wider outage to be felt outside of NYC. The attackers
had been hard at work finding their way onto the operational networks for a number of
cloud-connected gas turbines that supplied large portions of the consumed power on the
island. Once there they were able to devise two primary methods for placing the turbine in
a dangerous condition and after several attempts began to overwrite the system software
and firmware. Some of the attacks were successful in changing control setpoints that were
able to trip units while a few others actually caused physical damage. The result was a well-
synchronized loss of supply pushing the grid back in the other direction. The outage was
still contained to the region and manifested itself in several pockets—leaving some
microgrid devices and power meters to continue sending a tsunami of messages.

The combination of all three stages overwhelmed grid operators and city managers, creating
conditions that stressed the well-practiced plans to deal with all sorts of crises. The city known for
its planning and ability to absorb assault was plunged into a dark and an eerie silence. The pause
lasted longer than normal as emergency operations personnel waited to see if the power would
return and tried to make sense of why they were receiving minimal data from what was recently
heralded as one of the most instrumented cities in the world. The optimization cloud applications
were providing strange results for fire and police units on their city-wide operational picture
displays. Few people knew that the ocean of power meters were jamming networks with constant
streams of gibberish packets.

At first everyone focused on the immediate crisis of clogged communications and power outages,
but the city’s hydrologists knew there were bigger problems to worry about. NYC has been kept
dry by a series of huge pumps that remove intruding water into the city’s vast underground and
returning it to the Hudson. Slight variations in the water height had required a massive city works
14 | Michael Assante and Andrew Bochman

project to keep underground vaults dry and allow New Yorkers to use one of the most important
services the city offered—public mass transit. The pumps had been configured to receive power
from multiple redundant circuits, several key pumping stations were now offline, and the water
intrusion spread. Unknown to the attackers, two of the key substations attacked were required to
maintain power flow downstream to those pumping stations. The failure of a proper make-and-
break configuration on the local backup generator would go unnoticed as alerts were never sent
to the city’s hydrology ops center. The intruding water set off a number of tiny sensors used to
show the spread of water, but that data never found its way to the NYC private cloud providing
data to city engineers. The water would actually undermine a valiant effort to restore power to
sections of the city as transformers and conduits were energized without knowing sections were
underwater. Several electrical shorts occurred, adding to the damage.

It took two days to simply hatch a plan to combat the remaining botnet, and within the first hour
the plan would become unnecessary as the meters and inverters began to pop offline, never to
reset and reboot and come back. It was not the eye of the data storm as one person joked but the
end of the advanced meter network the utility had come to rely on. The utility power meter
engineers and security team, analyzing infected meters taken from the field, had missed the
module responsible for the firmware overwrite routine as they focused on portion of the code
responsible for sending out all the errant messages. The plan would now have to be modified to
visit each device and swap them out. New reports were starting to be radioed in or sent via satellite
phone that two of the three types of meters had actually performed remote disconnects,
interrupting power to homes and buildings. The outage would grow in size for one last time.

The only saving grace was that there were few ways to get to the remaining systems to perform
additional cyber attacks. By day three, cell towers, which had only recently been providing
sufficient throughput, began blinking off the communications grid while other emergency facilities
were suffering from the same fate, losing their back-up generators. The decision to evacuate was a
hard one, but no one could provide a confident estimate for restoring power at the edge of the
system, where meters had been bricked. Even worse, the city was literally flooding from the
basements up, making habitation a health risk and further undermining efforts to move and care
for people. The mayor requested the governor send in the National Guard to help utility personnel
remove meters for direct connections. The procedure was not complex but it did require two-man
teams to visit hundreds of thousands of locations. A return to normal would be measured in
neither days nor weeks, but more likely months if not years. And it would certainly have to be a
“new normal.”

Conclusions and Recommendations

In 2017, many of the current IoT products are literally toys—some, like Wi-fi-enabled Hello Barbie,
are intended for children. Others, like increasingly capable drones, and IIoT products, like highly
connected industrial equipment, are obviously made for adults. Ubiquitous cloud-computing and
storage capabilities are already in wide use by children and adults to such a pervasive extent that
 IoT, Automation, Autonomy, and Megacities in 2025 | 15

much of our modern world—from households to businesses to industrially intensive operations—

would cease to function if disconnected from cloud services for any appreciable length of time.

Now mix in the accelerating rate at which connectivity between not just intelligent objects and the
cloud, but between objects and other objects, is expanding, and the degree of interdependence
we’re building and accepting is simply staggering. Boy do things work great when they work. But
what are our plans B and C for when we these things fail or the systems on which they depend fail?
And fail they will.

Below find a starter list of cautionary observations, each of which suggests its high-level solution.

• Cell overload—The technologies implemented to digitize infrastructures have outpaced the

cell networks they relied upon.

• Restoration overload—Large deployments of things (e.g., instruments/sensors) can quickly

outpace stakeholders’ ability to maintain or restore them if a widespread common failure or
attack takes place

• Mass cascades—Single system disruptions can quickly cascade as large number of people’s
routines or plans are changed resulting in capacity surges and difficult-to-predict impacts
as first-order impacts are accompanied by second- and third-order impacts

• Software at scale—Software introduces large-scale systemic risk when implemented in

large scales. Updates need not only to be tested and receive device-level quality checks,
but system-wide modeling or simulation is necessary

• Software defects—Software-induced errors can serve as a blueprint for a malicious attack if

access to maintenance or engineering systems can be obtained

• Mono-culture risk

• Difficulties in risk detection because of complexity, opacity, latency, and disguise

What’s it going to take to follow through on any of these suggestions? Accidents, property
damage, corporate reputational damage, national security impacts, injuries, and significant loss of
human life. In short, problems that individuals, companies, and governments recognize today as
safety problems. Security pundits, particularly those focused on cyber security risks to industrial
operations, have been warning for years that interconnecting and automating systems that control
often-highly dangerous physical processes brings with it a type and scale of risk we had previously
not seen. Many have said that the answer lies in fusing security matters with safety culture.

We’ve seen cars, phone, toys, and many other types of tech-enabled products recalled or
terminated due to safety issues. When the same business and social impulses begin to extend into
the security realm, when more industrial software has to meet the requirements of “safety critical”
systems, we may find ways to avoid the scenes such as those depicted in this paper.
16 | Michael Assante and Andrew Bochman

Our civilization is grappling with unbounded complexity and cyber exposure brought by
automating important processes without a full consideration of the possible cyber consequences.
Obvious and seemingly unstoppable trend lines are pointing to massive deployment of increasingly
automated and even autonomous systems underway now and accelerating over the next few
years. We recommend a strategic pause to reconsider how we more fully value automation from a
cyber-informed cost-benefit perspective. And with or without that pause (we assume most won’t
understand the rationale) it is imperative that we find ways to identify, interrupt, and prevent
catastrophic cyber-physical consequences of both cyber-attack and malfunction of these
technologies.

Acknowledgments
This report is made possible by general support to CSIS. No direct sponsorship contributed to its
publication.

About the Authors

Michael Assante is a senior associate with the Technology Policy Program at the Center for
Strategic and International Studies in Washington, D.C. Andrew Bochman is senior cyber and
energy security strategist for the Idaho National Laboratory (INL) in Idaho Falls, Idaho.

This report is produced by the Center for Strategic and International Studies (CSIS), a private,
tax-exempt institution focusing on international public policy issues. Its research is
nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all
views, positions, and conclusions expressed in this publication should be understood to be
solely those of the author(s).

© 2017 by the Center for Strategic and International Studies. All rights reserved.
The Internet of Things: Frequently Asked
Questions

Eric A. Fischer
Senior Specialist in Science and Technology

October 13, 2015

Congressional Research Service

7-5700
www.crs.gov
R44227
 The Internet of Things: Frequently Asked Questions

Summary
“Internet of Things” (IoT) refers to networks of objects that communicate with other objects and
with computers through the Internet. “Things” may include virtually any object for which remote
communication, data collection, or control might be useful, such as vehicles, appliances, medical
devices, electric grids, transportation infrastructure, manufacturing equipment, or building
systems.
In other words, the IoT potentially includes huge numbers and kinds of interconnected objects. It
is often considered the next major stage in the evolution of cyberspace. Some observers believe it
might even lead to a world where cyberspace and human space would seem to effectively merge,
with unpredictable but potentially momentous societal and cultural impacts.
Two features makes objects part of the IoT—a unique identifier and Internet connectivity. Such
“smart” objects each have a unique Internet Protocol (IP) address to identify the object sending
and receiving information. Smart objects can form systems that communicate among themselves,
usually in concert with computers, allowing automated and remote control of many independent
processes and potentially transforming them into integrated systems.
Those systems can potentially impact homes and communities, factories and cities, and every
sector of the economy, both domestically and globally. Although the full extent and nature of the
IoT’s impacts remain uncertain, economic analyses predict that it will contribute trillions of
dollars to economic growth over the next decade. Sectors that may be particularly affected
include agriculture, energy, government, health care, manufacturing, and transportation.
The IoT can contribute to more integrated and functional infrastructure, especially in “smart
cities,” with projected improvements in transportation, utilities, and other municipal services. The
Obama Administration announced a smart-cities initiative in September 2015.
There is no single federal agency that has overall responsibility for the IoT. Agencies may find
IoT applications useful in helping them fulfill their missions. Each is responsible for the
functioning and security of its own IoT, although some technologies, such as drones, may fall
under the jurisdiction of other agencies as well. Various agencies also have relevant regulatory,
sector-specific, and other mission-related responsibilities, such as the Departments of Commerce,
Energy, and Transportation, the Federal Communications Commission, and the Federal Trade
Commission.
Security and privacy are often cited as major issues for the IoT, given the perceived difficulties of
providing adequate cybersecurity for it, the increasing role of smart objects in controlling
components of infrastructure, and the enormous increase in potential points of attack posed by the
proliferation of such objects. The IoT may also pose increased risks to privacy, with cyberattacks
potentially resulting in exfiltration of identifying or other sensitive information about an
individual. With an increasing number of IoT objects in use, privacy concerns also include
questions about the ownership, processing, and use of the data they generate.
Several other issues might affect the continued development and implementation of the IoT.
Among them are
 the lack of consensus standards for the IoT, especially with respect to
connectivity;
 the transition to a new Internet Protocol (IPv6) that can handle the exponential
increase in the number of IP addresses that the IoT will require;

Congressional Research Service

The Internet of Things: Frequently Asked Questions

 methods for updating the software used by IoT objects in response to security and
other needs;
 energy management for IoT objects, especially those not connected to the electric
grid; and
 the role of the federal government, including investment, regulation of
applications, access to wireless communications, and the impact of federal rules
regarding “net neutrality.”
No bills specifically on the IoT have been introduced in the 114th Congress, although S.Res. 110
was agreed to in March 2015, and H.Res. 195 was introduced in April. Both call for a U.S. IoT
strategy, a focus on a consensus-based approach to IoT development, commitment to federal use
of the IoT, and its application in addressing challenging societal issues. House and Senate
hearings have been held on the IoT, and several congressional caucuses may consider associated
issues. Moreover, bills affecting privacy, cybersecurity, and other aspects of communication could
affect IoT applications.

Congressional Research Service

 The Internet of Things: Frequently Asked Questions

Contents
What Is the Internet of Things (IoT)? .............................................................................................. 1
How Does the IoT Work? ................................................................................................................ 2
What Impacts Will the IoT Have? ................................................................................................... 4
Economic Growth ..................................................................................................................... 4
Economic Sectors ...................................................................................................................... 4
Agriculture .......................................................................................................................... 4
Energy ................................................................................................................................. 5
Health Care ......................................................................................................................... 6
Manufacturing ..................................................................................................................... 6
Transportation ..................................................................................................................... 6
Infrastructure and Smart Cities ........................................................................................... 7
Social and Cultural Impacts ...................................................................................................... 8
What Is the Current Federal Role? .................................................................................................. 8
What Issues Might Affect the Development and Implementation of the IoT? ............................... 11
Technical Issues ....................................................................................................................... 11
Internet Addresses .............................................................................................................. 11
High-Speed Internet .......................................................................................................... 13
Wireless Communications ................................................................................................ 13
Standards........................................................................................................................... 13
Other Technical Issues ...................................................................................................... 14
Cybersecurity .......................................................................................................................... 14
Safety ...................................................................................................................................... 15
Privacy .................................................................................................................................... 16
Other Policy Issues .................................................................................................................. 17
Federal Role ...................................................................................................................... 17
Spectrum Access ............................................................................................................... 18
Net Neutrality ................................................................................................................... 18
What Actions Has Congress Taken? .............................................................................................. 19
Legislation ............................................................................................................................... 19
Bills ................................................................................................................................... 19
Resolutions........................................................................................................................ 19
Hearings .................................................................................................................................. 19
Caucuses.................................................................................................................................. 20
Where Can I Find Additional Resources on This Topic? .............................................................. 20

Contacts
Author Contact Information .......................................................................................................... 20
Acknowledgments ......................................................................................................................... 20

Congressional Research Service

 The Internet of Things: Frequently Asked Questions

he Internet of Things (IoT) is a complex, often poorly understood phenomenon. The term

T is more than a decade old, but interest has grown considerably over the last few years as
applications have increased.1 The impacts of the IoT on the economy and society more
generally are expected by many to grow substantially. This report was developed to assist
Congress in responding to some commonly asked questions about it:
 “What Is the Internet of Things (IoT)?”
 “How Does the IoT Work?”
 “What Impacts Will the IoT Have?”
 “What Is the Current Federal Role?”
 “What Issues Might Affect the Development and Implementation of the IoT?”
 “What Actions Has Congress Taken?”
 “Where Can I Find Additional Resources on This Topic?”

What Is the Internet of Things (IoT)?

When people talk about the Internet, they are usually referring to the electronic network that
permits computers around the world to communicate with each other. What, then, is the IoT?
There is no universally agreed-upon definition,2 but generally, the term is used to describe
networks of objects that are not themselves computers but that have embedded components that
connect to the Internet. “Things” may include, for example, smart meters, fitness trackers,
personal vehicles, home appliances, medical devices, and even clothing used by individual
consumers. They may also include embedded devices in roadways and in other components of
infrastructure such as electric grids, manufacturing plants and other buildings, farms, and
virtually any other object, element, or system for which remote communications, control, or data
collection and processing might be useful.
While fixed and mobile computing devices such as desktop computers, smartphones, and tablets
are generally not considered to be IoT objects, smartphones in particular have features such as
motion and position sensors that blur the distinctions.3 Some smartphone applications, for
example, enable them to be used in fitness tracking and other health monitoring.
In other words, the IoT potentially includes huge numbers and kinds of interconnected objects. In
practice, IoT refers not to a simple or uniform network of objects but rather to a complex
collection of objects and networks. Specific dimensions of the IoT may be referred to by terms
such as smart grid, connected cities, and Industrial Internet.4 Other terms may also be used in the

1
Postscapes, “A Brief History of the Internet of Things,” 2015, http://postscapes.com/internet-of-things-history.
2
See, for example, Roberto Minerva, Abyi Biru, and Domenico Rotondi, “Towards a Definition of the Internet of
Things (IoT)” (IEEE Internet Initiative, May 27, 2015), http://iot.ieee.org/images/files/pdf/
IEEE_IoT_Towards_Definition_Internet_of_Things_Revision1_27MAY15.pdf.
3
Adam Thierer, “The Internet of Things and Wearable Technology: Addressing Privacy and Security Concerns without
Derailing Innovation” (Mercatus Center (George Mason University), November 19, 2014, http://mercatus.org/
publication/internet-things-and-wearable-technology-addressing-privacy-and-security-concerns-without.
4
See, for example, Goldman Sachs Global Investment Research, “Our Thinking—What Is the Internet of Things?,”
Goldman Sachs, September 2014, http://www.goldmansachs.com/our-thinking/pages/iot-infographic.html. Some
observers even use Industrial Internet as a synonym for the IoT, although it more commonly applies to manufacturing
and other industrial activities. See, for example, World Economic Forum, “Industrial Internet of Things: Unleashing the
Potential of Connected Products and Services” (World Economic Forum, January 2015), http://www.weforum.org/
reports/industrial-internet-things-unleashing-potential-connected-products-and-services; Industrial Internet Consortium,
(continued...)

Congressional Research Service 1

The Internet of Things: Frequently Asked Questions

context of IoT to denote related concepts such as cyber-physical systems5 and the Internet of
Everything.6
The IoT is often considered the next major stage in the evolution of cyberspace.7 The first
electronic computers were developed in the 1940s, but forty years passed before connecting
computers through wired devices began to spread in the 1980s. The first decade of the twenty-
first century saw the next stage, marked by the rapid spread of smartphones and other mobile
devices that use wireless communications,8 as well as social media, big-data analytics, and cloud
computing.9 Building on those advances, connections between two or more machines (M2M) and
between machines and people are expected by many observers to lead to huge growth in the IoT
by 2020.10

How Does the IoT Work?

The IoT is not separate from the Internet, but rather, a potentially huge extension and expansion
of it. The “things” that form the basis of the IoT are objects. They could be virtually anything—
streetlights, thermostats, electric meters,11 fitness trackers, factory equipment, automobiles,
unmanned aircraft systems (UASs or drones),12 or even cows or sheep in a field.13 What makes an

(...continued)
“Home,” 2015, http://www.industrialinternetconsortium.org/index.htm.
5
National Institute of Standards and Technology, “Cyber-Physical Systems,” May 22, 2015, http://www.nist.gov/cps/
index.cfm. NIST defines cyber-physical systems as “co-engineered interacting networks of physical and computational
components.” It is a somewhat broader concept than the IoT, in that such systems need not be connected to the Internet
to function.
6
Cisco, “The Internet of Everything,” 2013, http://perma.cc/Y4LQ-633J?type=live. This concept is similar to that of
the IoT but emphasizes its ubiquity, leading some observers to argue that it is more comprehensive (Dorothy
Shamonsky, “Internet of Things vs. Internet of Everything: Does the Distinction Matter to User Experience
Designers?,” ICS Insight Blog, July 13, 2015, http://www.ics.com/blog/internet-things-vs-internet-everything-does-
distinction-matter-user-experience-designers). For purposes of this report, they are treated as synonymous.
7
The term cyberspace usually refers to the worldwide collection of connected ICT components, the information that is
stored in and flows through those components, and the ways that information is structured and processed. Its evolution
has been characterized in many different ways, but IoT’s emergence is a common theme. See, for example, Janna
Anderson and Lee Rainie, “The Internet of Things Will Thrive by 2025,” Pew Research Center, May 14, 2014,
http://www.pewinternet.org/2014/05/14/internet-of-things/; Simona Jankowski et al., “The Internet of Things: Making
Sense of the Next Mega-Trend” (Goldman Sachs Global Investment Research, September 3, 2014),
http://www.goldmansachs.com/our-thinking/pages/internet-of-things/iot-report.pdf; The White House, “Cyberspace
Policy Review,” May 29, 2009, http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf..
8
Pew Research Internet Project, “Device Ownership over Time,” January 2014, http://www.pewinternet.org/data-trend/
mobile/device-ownership/.
9
Nicholas D. Evans, “SMAC and the Evolution of IT,” Computerworld, December 9, 2013,
http://www.computerworld.com/article/2475696/it-transformation/smac-and-the-evolution-of-it.html. SMAC stands for
social media, mobile devices, analytics (big data), and cloud computing.
10
Gartner, Inc., “Gartner Says 4.9 Billion Connected ‘Things’ Will Be in Use in 2015” (press release, November 11,
2014), http://www.gartner.com/newsroom/id/2905717; Leon Spencer, “Internet of Things Market to Hit $7.1 Trillion
by 2020: IDC,” June 5, 2014, http://www.zdnet.com/article/internet-of-things-market-to-hit-7-1-trillion-by-2020-idc/.
11
See CRS Report R42338, Smart Meter Data: Privacy and Cybersecurity, by Brandon J. Murrill, Edward C. Liu, and
Richard M. Thompson II.
12
See CRS Report R44192, Unmanned Aircraft Systems (UAS): Commercial Outlook for a New Industry, by Bill
Canis.
13
Tove B. Danovich, “Internet-Connected Sheep and the New Roaming Wireless,” The Atlantic, February 9, 2015,
http://www.theatlantic.com/technology/archive/2015/02/internet-connected-sheep-and-the-new-roaming-wireless/
385274/; David Evans, “Introducing the Wireless Cow,” The Agenda, July 2015, http://www.politico.com/agenda/
(continued...)

2 Congressional Research Service

 The Internet of Things: Frequently Asked Questions

object part of the IoT is embedded or attached computer chips or similar components that give the
object both a unique identifier and Internet connectivity. Objects with such components are often
called “smart”—such as smart meters and smart cars.
Internet connectivity allows a smart object to communicate with computers and with other smart
objects. Connections of smart objects to the Internet can be wired, such as through Ethernet
cables, or wireless, such as via a Wi-Fi or cellular network.
To enable precise communications, each IoT object must be uniquely identifiable. That is
accomplished through an Internet Protocol (IP) address, a number assigned to each Internet-
connected device, whether a desktop computer, a mobile phone, a printer, or an IoT object.14
Those IP addresses ensure that the device or object sending or receiving information is correctly
identified.
What kinds of information do IoT objects communicate? The answer depends on the nature of the
object, and it can be simple or complex. For example, a smart thermometer might have only one
sensor, used to communicate ambient temperature to a remote weather-monitoring center. A
wireless medical device might, in contrast, use various sensors to communicate a person’s body
temperature, pulse, blood pressure, and other variables to a medical service provider via a
computer or mobile phone.
Smart objects can also be involved in command networks. For example, industrial control
systems can adjust manufacturing processes based on input from both other IoT objects and
human operators. Network connectivity can permit such operations to be performed in “real
time”—that is, almost instantaneously.
Smart objects can form systems that communicate information and commands among themselves,
usually in concert with computers they connect to. This kind of communication enables the use of
smart systems in homes, vehicles, factories, and even entire cities.
Smart systems allow for automated and remote control of many processes. A smart home can
permit remote control of lighting, security, HVAC (heating, ventilating, and air conditioning), and
appliances. In a smart city, an intelligent transportation system (ITS) may permit vehicles to
communicate with other vehicles and roadways to determine the fastest route to a destination,
avoiding traffic jams, and traffic signals can be adjusted based on congestion information
received from cameras and other sensors.15 Buildings might automatically adjust electric usage,
based on information sent from remote thermometers and other sensors.16 An Industrial Internet
application can permit companies to monitor production systems and adjust processes, remotely
control and synchronize machinery operations, track inventory and supply chains, and perform
other tasks.17

(...continued)
story/2015/06/internet-of-things-growth-challenges-000098.
14
Internet Assigned Numbers Authority (IANA), “Number Resources,” 2015, https://www.iana.org/numbers.
15
Department of Transportation, “Intelligent Transportation Systems (ITS),” 2015, http://www.its.dot.gov/index.htm;
Bruce Katz, “Why the U.S. Government Should Embrace Smart Cities” (Brookings Institution, July 26, 2011),
http://www.brookings.edu/research/opinions/2011/07/26-cities-katz.
16
Richard Barker and Amy Liu, “Smart Buildings the Next Step for Seattle,” Brookings Institution, July 28, 2014,
http://www.brookings.edu/blogs/the-avenue/posts/2014/07/28-smart-buildings-seattle-barker-liu; Bob Violino, “Smart
Cities Are Here Today—and Getting Smarter,” Computerworld, February 12, 2014, http://www.computerworld.com/
article/2487526/emerging-technology-smart-cities-are-here-today-and-getting-smarter.html.
17
See, for example, Industrial Internet Consortium, “Home.”

Congressional Research Service 3

The Internet of Things: Frequently Asked Questions

IoT connections and communications can be created across a broad range of objects and networks
and can transform previously independent processes into integrated systems. These integrated
systems can potentially have substantial effects on homes and communities, factories and cities,
and every sector of the economy, both domestically and globally.

What Impacts Will the IoT Have?

The IoT may significantly affect many aspects of the economy and society, although the full
extent and nature of its eventual impacts remains uncertain. Many observers predict that the
growth of the IoT will bring positive benefits through enhanced integration, efficiency, and
productivity across many sectors of the U.S. and global economies.18 Among those commonly
mentioned are agriculture, energy, health care, manufacturing, and transportation. Significant
impacts may also be felt more broadly on economic growth, infrastructure and cities, and
individual consumers. However, both policy and technical challenges, including security and
privacy issues, might inhibit the growth and impact of IoT innovations.

Economic Growth
Several economic analyses have predicted that the IoT will contribute significantly to economic
growth over the next decade, but the predictions vary substantially in magnitude. The current
global IoT market has been valued at about $2 trillion, with estimates of its predicted value over
the next five to ten years varying from $4 trillion to $11 trillion.19 Such variability demonstrates
the difficulty of making economic forecasts in the face of various uncertainties, including a lack
of consensus among researchers about exactly what the IoT is and how it will develop.20

Economic Sectors

Agriculture
The IoT can be leveraged by the agriculture industry through precision agriculture, with the goal
of optimizing production and efficiency while reducing costs and environmental impacts. For
farming operations, it involves analysis of detailed, often real-time data on weather, soil and air
quality, water supply, pest populations, crop maturity, and other factors such as the cost and
availability of equipment and labor.21 Field sensors test soil moisture and chemical balance,

18
See, for example, National Security Telecommunications Advisory Committee, “NSTAC Report to the President on
the Internet of Things,” November 19, 2014, http://www.dhs.gov/sites/default/files/publications/
NSTAC%20Report%20to%20the%20President%20on%20the%20Internet%20of%20Things%20Nov%202014%20%2
8updat%20%20%20.pdf..
19
Denise Lund et al., “Worldwide and Regional Internet of Things (IoT) 2014–2020 Forecast: A Virtuous Circle of
Proven Value and Demand,” May 2014; Gartner, Inc., “Gartner Says the Internet of Things Installed Base Will Grow to
26 Billion Units By 2020” December 12, 2013, http://www.gartner.com/newsroom/id/2636073; James Manyika et al.,
“The Internet of Things: Mapping the Value Beyond the Hype” (McKinsey Global Institute, June 2015),
http://www.mckinsey.com/~/media/McKinsey/dotcom/Insights/Business Technology/Unlocking the potential of the
Internet of Things/Unlocking_the_potential_of_the_Internet_of_Things_Full_report.ashx; Verizon, “State of the
Market: The Internet of Things 2015,” February 20, 2015, http://www.verizonenterprise.com/resources/reports/
rp_state-of-market-the-market-the-internet-of-things-2015_en_xg.pdf.
20
Anderson and Rainie, “The Internet of Things Will Thrive by 2025.”
21
Jasper Janangir Mohammed, “Surprise: Agriculture Is Doing More with IoT Innovation than Most Other Industries,”
VentureBeat, December 7, 2014, http://venturebeat.com/2014/12/07/surprise-agriculture-is-doing-more-with-iot-
innovation-than-most-other-industries/; IBM Research, “Precision Agriculture,” 2015, http://www.research.ibm.com/
(continued...)

4 Congressional Research Service

 The Internet of Things: Frequently Asked Questions

which can be coupled with location technologies to enable precise irrigation and fertilization.22
Drones and satellites can be used to take detailed images of fields, giving farmers information
about crop yield, nutrient deficiencies, and weed locations.23 For ranching and animal operations,
radio frequency identification (RFID) chips and electronic identification readers (EID) help
monitor animal movements, feeding patterns, and breeding capabilities, while maintaining
detailed records on individual animals.24

Energy
Within the energy sector, the IoT may impact both production and delivery, for example through
facilitating monitoring of oil wellheads and pipelines.25 When IoT components are embedded into
parts of the electrical grid, the resulting infrastructure is commonly referred to as the “smart
grid.”26 This use of IoT enables greater control by utilities over the flow of electricity and can
enhance the efficiency of grid operations.27 It can also expedite the integration of microgenerators
into the grid.28
Smart-grid technology can also provide consumers with greater knowledge and control of their
energy usage through the use of smart meters in the home or office.29 Connection of smart meters
to a building’s HVAC, lighting, and other systems can result in “smart buildings” that integrate
the operation of those systems.30 Smart buildings use sensors and other data to automatically
adjust room temperatures, lighting, and overall energy usage, resulting in greater efficiency and
lower energy cost.31 Information from adjacent buildings may be further integrated to provide
additional efficiencies in a neighborhood or larger division in a city.

(...continued)
articles/precision_agriculture.shtml.
22
Agnes Szolnoki and Andras Nabradi, “Economic, Practical Impacts of Precision Farming—With Especial Regard to
Harvesting,” Applied Studies in Agribusiness and Commerce 8, no. 2–3 (2014): 141–46, http://ageconsearch.umn.edu//
handle/202892.
23
Matthew J. Grassi, “Imagery: Which Way Is Right for Me?,” PrecisionAg, August 6, 2015,
http://www.precisionag.com/data/imagery/imagery-which-way-is-right-for-me/.
24
See, for example, Adrianne Jeffries, “Internet of Cows: Technology Could Help Track Disease, but Ranchers Are
Resistant,” The Verge, May 13, 2013, http://www.theverge.com/2013/5/10/4316658/internet-of-cows-technology-
offers-ways-to-track-livestock-but; The State of Victoria, “On-Farm Benefits of Sheep Electronic Identification (EID),”
Agriculture, 2015, http://agriculture.vic.gov.au/agriculture/farm-management/national-livestock-identification-system/
nlis-sheep-and-goats/on-farm-benefits-of-sheep-electronic-identification.
25
Verizon, “State of the Market: The Internet of Things 2015.”
26
Department of Energy, “The Smart Grid,” 2015, http://www.smartgrid.gov/the_smart_grid#smart_grid.
27
CRS Report R41886, The Smart Grid and Cybersecurity—Regulatory Policy and Issues, by Richard J. Campbell.
28
Jean Kumagai, “The Rise of the Personal Power Plant,” IEEE Spectrum, May 28, 2014, http://spectrum.ieee.org/
energy/the-smarter-grid/the-rise-of-the-personal-power-plant.
29
CRS Report R42338, Smart Meter Data: Privacy and Cybersecurity, by Brandon J. Murrill, Edward C. Liu, and
Richard M. Thompson II.
30
Institute for Building Efficiency, “What Is a Smart Building?,” April 2011, http://www.institutebe.com/smart-grid-
smart-building/What-is-a-Smart-Building.aspx.
31
IBM, “Smarter Buildings,” 2015, http://www.ibm.com/smarterplanet/us/en/green_buildings/overview/.

Congressional Research Service 5

The Internet of Things: Frequently Asked Questions

Health Care
The IoT has many applications in the health care field,32 in both health monitoring and treatment,
including telemedicine and telehealth.33 Applications may involve the use of medical technology
and the Internet to provide long-distance health care and education.34 Medical devices—which
can be wearable or nonwearable, or even implantable, injectable, or ingestible35—can permit
remote tracking of a patient’s vital signs, chronic conditions, or other indicators of health and
wellness.36 Wireless medical devices may be used not only in hospital settings but also in remote
monitoring and care, freeing patients from sustained or recurring hospital visits.37 Some experts
have stated that advances in healthcare IoT applications will be important for providing
affordable, quality care to the aging U.S. population.38

Manufacturing
Integration of IoT technologies into manufacturing and supply chain logistics is predicted to have
a transformative effect on the sector.39 The biggest impact may be realized in optimization of
operations, making manufacturing processes more efficient.40 Efficiencies can be achieved by
connecting components of factories to optimize production, but also by connecting components
of inventory and shipping for supply chain optimization.41 Another application is predictive
maintenance, which uses sensors to monitor machinery and factory infrastructure for damage.
Resulting data can enable maintenance crews to replace parts before potentially dangerous and/or
costly malfunctions occur.42

Transportation
Transportation systems are becoming increasingly connected. New motor vehicles are equipped
with features such as global positioning systems (GPS) and in-vehicle entertainment, as well as

32
The use of IoT in medicine is sometimes referred to as “connected” or “digital” health. See, for example, Food and
Drug Administration, “Digital Health,” September 22, 2015, http://www.fda.gov/ForConsumers/ConsumerUpdates/
ucm20035974.htm.
33
American Telemedicine Association, “What Is Telemedicine?” 2015, http://www.americantelemed.org/about-
telemedicine/what-is-telemedicine.
34
Health Resources and Services Administration, “Telehealth,” Department of Health and Human Services, 2015,
http://www.hrsa.gov/ruralhealth/about/telehealth/telehealth.html.
35
Manyika et al., “The Internet of Things: Mapping the Value Beyond the Hype.”
36
Jerome Couturier et al., “How Can the Internet of Things Help to Overcome Current Healthcare Challenges,”
Digiworld Economic Journal, no. 87 (Q 2012): 67–81, http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2304133.
37
See, for example, Food and Drug Administration, “Wireless Medical Devices,” September 22, 2015,
http://www.fda.gov/MedicalDevices/DigitalHealth/WirelessMedicalDevices/default.htm.
38
See testimony from Senate Special Committee on Aging, Roundtable: Harnessing the Power of Telehealth: Promises
and Challenges?, 2014, http://www.aging.senate.gov/hearings/roundtable-harnessing-the-power-of-telehealth-
promises-and-challenges; House Committee on the Judiciary, Subcommittee on Courts, Intellectual Property, and the
Internet, Internet of Things, 2015, http://judiciary.house.gov/index.cfm/2015/7/hearing-internet-of-things.
39
Lopez Research, “Building Smarter Manufacturing with the Internet of Things (IoT),” January 2014,
http://www.cisco.com/web/solutions/trends/iot/iot_in_manufacturing_january.pdf; James Macaulay, Lauren Buckalew,
and Gina Chung, “Internet of Things in Logistics” (DHL Trend Research and Cisco Consulting Services, 2015),
http://www.dhl.com/content/dam/Local_Images/g0/New_aboutus/innovation/DHLTrendReport_Internet_of_things.pdf.
40
Manyika et al., “The Internet of Things: Mapping the Value Beyond the Hype.”
41
Macaulay, Buckalew, and Chung, “Internet of Things in Logistics.”
42
Manyika et al., “The Internet of Things: Mapping the Value Beyond the Hype.”

6 Congressional Research Service

 The Internet of Things: Frequently Asked Questions

advanced driver assistance systems (ADAS), which utilize sensors in the vehicle to assist the
driver, for example with parking and emergency braking.43 Further connection of vehicle systems
enables fully autonomous or self-driving automobiles, which are predicted to be commercialized
in the next 5-20 years.44
Additionally, IoT technologies can allow vehicles within and across modes—including cars,
buses, trains, airplanes, and unmanned aerial vehicles (drones)—to “talk” to one another and to
components of the IoT infrastructure, creating intelligent transportation systems (ITS). Potential
benefits of ITS may include increased safety and collision avoidance, optimized traffic flows, and
energy savings, among others.45

Infrastructure and Smart Cities

The capabilities of the smart grid, smart buildings, and ITS combined with IoT components in
other public utilities—such as roadways, sewage and water transport and treatment, public
transportation, and waste removal—can contribute to more integrated and functional
infrastructure, especially in cities.46 For example, traffic authorities can use cameras and
embedded sensors to manage traffic flow and help reduce congestion.47 IoT components
embedded in street lights or other infrastructure elements can provide functions such as advanced
lighting control, environmental monitoring, and even assistance for drivers in finding parking
spaces.48 Smart garbage cans can signal waste removal teams when they are full, streamlining the
routes that garbage trucks take.49
This integration of infrastructure and service components is increasingly referred to as smart
cities, or other terms such as connected, digital, or intelligent cities or communities. A number of
cities in the United States and elsewhere have developed smart-city initiatives.50

43
Intel, “Technology and Computing Requirements for Self-Driving Cars,” June 2014, http://www.intel.com/content/
dam/www/public/us/en/documents/white-papers/automotive-autonomous-driving-vision-paper.pdf.
44
James M. Anderson et al., Autonomous Vehicle Technology: A Guide for Policymakers (Santa Monica, CA: Rand
Corporation, 2014), http://www.rand.org/content/dam/rand/pubs/research_reports/RR400/RR443-1/RAND_RR443-
1.pdf.
45
Intelligent Transportation Systems (ITS) and Joint Program Office (JPO), “ITS 2015-2019 Strategic Plan”
(Department of Transportation, February 19, 2015), http://www.its.dot.gov/strategicplan.pdf.
46
Manyika et al., “The Internet of Things: Mapping the Value Beyond the Hype”; Matthew Cuddy et al., “The
Smart/Connected City and Its Implications for Connected Transportation” (Department of Transportation, October 14,
2014), http://www.its.dot.gov/itspac/Dec2014/Smart_Connected_City_FINAL_111314.pdf.
47
Katz, “Why the U.S. Government Should Embrace Smart Cities.”
48
GE Lighting, “GE Announces Programs for Intelligent Cities on Both U.S. Coasts as It Pilots New Connected LED
Solution” (Press Release, April 15, 2015), http://pressroom.gelighting.com/news/ge-announces-programs-for-
intelligent-cities-on-both-u-s-coasts-as-it-pilots-new-connected-led-solution#.VcuyzfnYjnh.
49
See Andrea Zanella et al., “Internet of Things for Smart Cities,” IEEE Internet of Things Journal 1, no. 1 (February
2014): 22–32, doi:10.1109/JIOT.2014.2306328.
50
See, for example, Brookings Institution, “Getting Smarter About Smart Cities,” April 18, 2014,
http://www.brookings.edu/~/media/research/files/papers/2014/04/smart-cities/bmpp_smartcities.pdf; City of Scottsdale,
“myScottsdale,” 2015, http://www.scottsdaleaz.gov/service-request/myScottsdale; City of Dubuque, “DBQ IQ Water
Management,” 2015, http://www.cityofdubuque.org/1786/DBQ-IQ; Cleantech San Diego, “Smart Cities San Diego,”
2015, http://cleantechsandiego.org/smart-city-san-diego/; Boyd Cohen, “The 10 Smartest Cities In North America,”
Fast Company, November 14, 2013, http://www.fastcoexist.com/3021592/the-10-smartest-cities-in-north-america; GE
Lighting, “GE Announces Programs for Intelligent Cities”; Smart Cities Council, “Vision,” 2015,
http://smartcitiescouncil.com/category-vision; Violino, “Smart Cities Are Here Today—and Getting Smarter.”

Congressional Research Service 7

The Internet of Things: Frequently Asked Questions

As with IoT and other popular technology terms, there is no established consensus definition or
set of criteria for characterizing what a smart city is. Specific characterizations vary widely, but in
general they involve the use of IoT and related technologies to improve energy, transportation,
governance, and other municipal services for specified goals such as sustainability or improved
quality of life.51 The related technologies include
 social media (such as Facebook and Twitter),
 mobile computing (such as smartphones and wearable devices),
 data analytics (big data—the processing and use of very large data sets; and open data—
databases that are publicly accessible), and
 cloud computing (the delivery of computing services from a remote location,
analogous to the way utilities such as electricity are provided).52
Together, these are sometimes called SMAC.53

Social and Cultural Impacts

The IoT may create webs of connections that will fundamentally transform the way people and
things interact with each other. The emerging cyberspace platform created by the IoT and SMAC
has been described as potentially making cities “like ‘computers’ in open air,” where citizens
engage with the city “in a real-time and ongoing loop of information.”54
Some observers have proposed that the growth of IoT will result in a hyperconnected world in
which the seamless integration of objects and people will cause the Internet to disappear as a
separate phenomenon.55 In such a world, cyberspace and human space would seem to effectively
merge into a single environment, with unpredictable but potentially substantial societal and
cultural impacts.

What Is the Current Federal Role?

There is no single federal agency that has overall responsibility for the IoT, just as there is no one
agency with overall responsibility for cyberspace. Federal agencies may find the IoT useful in

51
See, for example, Brookings Institution, “Getting Smarter About Smart Cities”; Hafedh Chourabi et al.,
“Understanding Smart Cities: An Integrative Framework” (45th Hawaii International Conference on System Sciences,
IEEE, 2012), 2289–97, doi:10.1109/HICSS.2012.615; Frost and Sullivan, “Strategic Opportunity Analysis of the
Global Smart City Market,” August 2013, http://twimgs.com/audiencedevelopment/JC/LANDINGPAGES/GOV/
YEAR_2014/020314/4Define.pdf; GSMA and A.T. Kearney, “GSMA Mobile Economy 2013,” July 19, 2013,
http://www.gsmamobileeconomy.com/GSMA%20Mobile%20Economy%202013.pdf; Smart Cities Council,
“Definitions and Overviews,” 2015, http://smartcitiescouncil.com/smart-cities-information-center/definitions-and-
overviews.
52
See CRS Report R42887, Overview and Issues for Implementation of the Federal Cloud Computing Initiative:
Implications for Federal Information Technology Reform Management, by Patricia Moloney Figliola and Eric A.
Fischer.
53
See, for example, Evans, “SMAC and the Evolution of IT.”
54
Carlo Ratti of the Massachusetts Institute of Technology, as quoted in Violino, “Smart Cities Are Here Today—and
Getting Smarter.”
55
See, for example, Hayley Tsukayama, “What Eric Schmidt Meant When He Said ‘the Internet Will Disappear,’” The
Washington Post, January 23, 2015, https://www.washingtonpost.com/blogs/the-switch/wp/2015/01/23/what-eric-
schmidt-meant-when-he-said-the-internet-will-disappear/.

8 Congressional Research Service

 The Internet of Things: Frequently Asked Questions

helping them fulfill their missions through a variety of applications such as those discussed in this
report and elsewhere.56 Each agency is responsible under various laws and regulations for the
functioning and security of its own IoT, although some technologies, such as drones, may also fall
under some aspects of the jurisdiction of other agencies.
Various agencies have regulatory, sector-specific, and other mission-related responsibilities that
involve aspects of IoT. For example, entities that use wireless communications for their IoT
devices will be subject to allocation rules for the portions of the electromagnetic spectrum that
they use.
 The Federal Communications Commission (FCC) allocates and assigns
spectrum for nonfederal entities.57
 In the Department of Commerce, the National Telecommunications and
Information Administration (NTIA) fulfills that function for federal entities,58
and the National Institute of Standards and Technology (NIST) creates
standards, develops new technologies, and provides best practices for the Internet
and Internet-enabled devices.59
 The Federal Trade Commission (FTC) regulates and enforces consumer
protection policies, including for privacy and security of consumer IoT devices.60
 The Department of Homeland Security (DHS) is responsible for coordinating
security for the 16 critical infrastructure sectors.61 Many of those sectors use
industrial control systems (ICS), which are often connected to the Internet, and
the DHS National Cybersecurity and Communications Integration Center
(NCCIC) has an ICS Cyber Emergency Response Team (ICS-CERT) to help
critical-infrastructure entities address ICS cybersecurity issues.62
 The Food and Drug Administration (FDA) also has responsibilities with
respect to the cybersecurity of Internet-connected medical devices.63
 The Department of Justice (DOJ) addresses law-enforcement aspects of IoT,
including cyberattacks, unlawful exfiltration of data from devices and/or

56
See, for example, Joseph Bradley et al., “Internet of Everything: A $4.6 Trillion Public-Sector Opportunity,” White
Paper (Cisco, 2013), http://internetofeverything.cisco.com/sites/default/files/docs/en/
ioe_public_sector_vas_white%20paper_121913final.pdf.
57
CRS Report RL32589, The Federal Communications Commission: Current Structure and Its Role in the Changing
Telecommunications Landscape, by Patricia Moloney Figliola; CRS Report R43256, Spectrum Policy: Provisions in
the 2012 Spectrum Act, by Linda K. Moore.
58
CRS Report R43866, The National Telecommunications and Information Administration (NTIA): An Overview of
Programs and Funding, by Linda K. Moore.
59
See, for example, National Institute of Standards and Technology, “Cyber-Physical Systems.”
60
See, for example, FTC Staff, “Internet of Things: Privacy and Security in a Connected World” (Federal Trade
Commission, January 2015), http://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-
november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf.
61
For descriptions of these sectors, see The White House, “Critical Infrastructure Security and Resilience” (Presidential
Policy Directive 21, February 12, 2013), http://www.whitehouse.gov/the-press-office/2013/02/12/presidential-policy-
directive-critical-infrastructure-security-and-resil. The directive also identifies sector-specific agencies for each of the
identified sectors.
62
Department of Homeland Security, “About the National Cybersecurity and Communications Integration Center,”
April 27, 2015, http://www.dhs.gov/about-national-cybersecurity-communications-integration-center.
63
See, for example, Food and Drug Administration, “Cybersecurity for Medical Devices and Hospital Networks: FDA
Safety Communication,” June 13, 2013, http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm356423.htm.

Congressional Research Service 9

The Internet of Things: Frequently Asked Questions

networks, and investigation and prosecution of other computer and intellectual

property crimes.64
 Relevant activities at the Department of Energy (DOE) include those associated
with developing high-performance and green buildings, and other energy-related
programs, including those related to smart electrical grids.65
 The Department of Transportation (DOT) has established an Intelligent
Transportation Systems Joint Program Office (ITS JPO) to coordinate various
programs and activities throughout DOT relating to the development and
deployment of connected vehicles and systems, involving all modes of surface
transportation.66 DOT mode-specific agencies also engage in ITS activities.67 The
Federal Aviation Administration (FAA) is involved in regulation and other
activities relating to unmanned aerial vehicles (UAVs)68 and commercial systems
(UAS).69
 The Department of Defense was a pioneer in the development of much of the
foundational technology for the IoT. Most of its IoT deployment has related to its
combat mission, both directly and for logistical and other support.70
In addition to the activities described above, several agencies are engaged in research and
development (R&D) related to the IoT.
 Like NIST, the National Science Foundation (NSF) engages in cyber-physical
systems research and other activities that cut across various IoT applications.71
 The Networking and Information Technology Research and Development
Program (NITRD), under the Office of Science and Technology Policy (OSTP)
coordinates Federal agency R&D in networking and information technology. The
NITRD Cyber Physical Systems Senior Steering Group “coordinates programs,
budgets and policy recommendations” for IoT R&D.72 Other agencies involved

64
See, for example, Department of Justice, “FY 2015 Budget Request: Cybersecurity,” February 28, 2014,
http://www.justice.gov/sites/default/files/jmd/legacy/2014/08/18/cyber-security.pdf.
65
See, for example, CRS Report R40147, Issues in Green Building and the Federal Response: An Introduction, by Eric
A. Fischer; CRS Report R41886, The Smart Grid and Cybersecurity—Regulatory Policy and Issues, by Richard J.
Campbell.
66
See, for example, Brian Cronin and Kevin Dopart, “Connected Vehicles—Improving Safety, Mobility, and the
Environment” (U.S. Department of Transportation, April 9, 2014), http://www.its.dot.gov/presentations/pdf/
NASA_Briefingv3.2.pdf; Intelligent Transportation Systems (ITS) and Joint Program Office (JPO), “ITS 2015-2019
Strategic Plan.”; CRS Report R42367, Medicaid and Federal Grant Conditions After NFIB v. Sebelius: Constitutional
Issues and Analysis, by Kenneth R. Thomas.
67
Intelligent Transportation Systems Joint Program Office, “About ITS,” Department of Transportation, 2015,
http://www.its.dot.gov/its_program/about_its.htm.
68
CRS Report R42718, Pilotless Drones: Background and Considerations for Congress Regarding Unmanned Aircraft
Operations in the National Airspace System, by Bart Elias.
69
CRS Report R44192, Unmanned Aircraft Systems (UAS): Commercial Outlook for a New Industry, by Bill Canis.
70
Denise E Zheng and William A. Carter, “Leveraging the Internet of Things for a More Efficient and Effective
Military” (Center for Strategic and International Studies, September 2015), http://csis.org/files/publication/
150915_Zheng_LeveragingInternet_WEB.pdf.
71
National Science Foundation, “Cyber-Physical Systems (CPS),” 2015, http://www.nsf.gov/funding/pgm_summ.jsp?
pims_id=503286&org=CISE&sel_org=CISE&from=fund; National Science Foundation, “Partnerships for Innovation:
Building Innovation Capacity,” 2015, http://nsf.gov/funding/pgm_summ.jsp?pims_id=504708.
72
Subcommittee on Networking and Information Technology Research and Development, Committee on Technology,
“Supplement to the President’s Budget for Fiscal Year 2015: The Networking and Information Technology Research
(continued...)

10 Congressional Research Service

 The Internet of Things: Frequently Asked Questions

in such R&D include the Food and Drug Administration (FDA), the National
Aeronautics and Space Administration (NASA), the National Institutes of
Health (NIH), the Department of Veterans Affairs (VA), and several DOD
agencies.
 The White House has also announced a smart-cities initiative focusing on the
development of a research infrastructure, demonstration projects, and other R&D
activities.73

What Issues Might Affect the Development and

Implementation of the IoT?
The Internet of Things is often lauded for its potentially revolutionary applications. Indeed, IoT
devices are today being implemented in many different sectors for a vast array of purposes.
However, it is still unclear how IoT will progress due to challenges associated with both technical
and policy issues.

Technical Issues
Prominent technical limitations that may affect the growth and use of the IoT include a lack of
new Internet addresses under the most widely used protocol, the availability of high-speed and
wireless communications, and lack of consensus on technical standards.

Internet Addresses
A potential barrier to the development of IoT is the technical limitations of the version of the
Internet Protocol (IP) that is used most widely. IP is the set of rules that computers use to send
and receive information via the Internet, including the unique address that each connected device
or object must have to communicate. Version 4 (IPv4) is currently in widest use. It can
accommodate about four billion addresses, and it is close to saturation, with few new addresses
available in many parts of the world.74
Some observers predict that Internet traffic will grow faster for IoT objects than any other kind of
device over the next five years,75 with more than 25 billion IoT objects in use by 2020,76 and

(...continued)
and Development Program,” February 2015, https://www.nitrd.gov/pubs/2016supplement/
FY2016NITRDSupplement.pdf.
73
The White House, “Fact Sheet: Administration Announces New ‘Smart Cities’ Initiative to Help Communities
Tackle Local Challenges and Improve City Services” (Press Release, September 14, 2015),
https://www.whitehouse.gov/the-press-office/2015/09/14/fact-sheet-administration-announces-new-smart-cities-
initiative-help.
74
Iljitsch van Beijnum, “It’s Official: North America Out of New IPv4 Addresses,” Ars Technica, July 2, 2015,
http://arstechnica.com/information-technology/2015/07/us-exhausts-new-ipv4-addresses-waitlist-begins/.
75
Cisco predicts an annual growth rate of 71% for IoT traffic during that period, with mobile devices at about 63% and
desktop computers under 10% (Cisco, “The Zettabyte Era—Trends and Analysis,” May 2015, http://www.cisco.com/c/
en/us/solutions/collateral/service-provider/visual-networking-index-vni/VNI_Hyperconnectivity_WP.html).
76
Lund et al., “Worldwide and Regional Internet of Things (IoT) 2014–2020 Forecast: A Virtuous Circle of Proven
Value and Demand”; Gartner, Inc., “Gartner Says the Internet of Things Installed Base Will Grow to 26 Billion Units
By 2020.”

Congressional Research Service 11

The Internet of Things: Frequently Asked Questions

perhaps 50 billion devices altogether.77 IPv4 appears unlikely to meet that growing demand, even
with the use of workarounds such as methods for sharing IP addresses.78
Version 6 (IPv6) allows for a huge increase in the number IP addresses. With IPv4, the maximum
number of unique addresses, 4.2 billion, is not enough to provide even one address for each of the
7.3 billion people on Earth. IPv6, in contrast, will accommodate over 1038 addresses—more than
a trillion trillion per person.
It is highly likely that to accommodate the anticipated growth in the numbers of Internet-
connected objects, IPv6 will have to be implemented broadly. It has been available since 1999 but
was not formally launched until 2012.79 In most countries, fewer than 10% of IP addresses were
in IPv6 as of September 2015. Adoption is highest in some European countries and in the United
States,80 where adoption has doubled in the past year to about 20%.81 Globally, adoption has
doubled annually since 2011, to about 7% of addresses in mid-2015.82 While growth in adoption
is expected to continue, it is not yet clear whether the rate of growth will be sufficient to
accommodate the expected growth in the IoT. That will depend on a number of factors, including
replacement of some older systems and applications that cannot handle IPv6 addresses,83
resolution of security issues associated with the transition, and availability of sufficient resources
for deployment.84
Efforts to transition federal systems to IPv6 began more than a decade ago.85 According to
estimates by NIST, adoption for public-facing services has been much greater within the federal
government than within industry or academia.86 However, adoption varies substantially among

77
Dave Evans, “The Internet of Things: How the Next Evolution of the Internet Is Changing Everything” (Cisco
Internet Business Solutions Group (IBSG), April 2011), http://www.cisco.com/web/about/ac79/docs/innov/
IoT_IBSG_0411FINAL.pdf. The latter figure also includes computers and mobile devices such as smartphones.
78
Matt Ford et al., “Address Sharing-Coming to a Network near You,” IETF Journal, June 2009,
http://www.internetsociety.org/articles/address-sharing-coming-network-near-you.
79
Internet Society, “Ipv6: Making Room for the Next 5 Billion People,” March 26, 2014,
http://www.internetsociety.org/deploy360/wp-content/uploads/2014/03/gen-ipv6factsheet-201403-en_FA_web.pdf.
The launch was essentially an organized attempt to stimulate adoption.
80
The top five were Belgium (34%), Switzerland (19%), the United States (18%), Germany, and Peru (17% each)
(Akamai, “IPv6 Adoption by Country and Network,” State of the Internet, September 16, 2015,
https://www.stateoftheinternet.com/trends-visualizations-ipv6-adoption-ipv4-exhaustion-global-heat-map-network-
country-growth-data.html).
81
Ibid.; Google, “IPv6,” September 23, 2015, http://www.google.com/intl/en/ipv6/. Google lists the U.S. adoption rate
at 21%.
82
Google, “IPv6”; Internet Society, “World IPv6 Launch,” May 27, 2014, http://www.worldipv6launch.org/
infographic/.
83
IPv6 addresses are four times longer than those in IPv4, and some systems and applications cannot process the longer
addresses properly (van Beijnum, “It’s Official: North America Out of New IPv4 Addresses”).
84
Sheila Frankel et al., “Guidelines for the Secure Deployment of IPv6,” SP 800-119 (National Institute of Standards
and Technology, December 2010), http://csrc.nist.gov/publications/nistpubs/800-119/sp800-119.pdf; van Beijnum,
“It’s Official: North America Out of New IPv4 Addresses”; Panayotis A. Yannakogeorgos, “The Rise of IPv6,” Air and
Space Power Journal, April 2015, 103–28, http://www.au.af.mil/au/afri/aspj/digital/pdf/articles/2015-Mar-Apr/F-
Pano.pdf.
85
Chief Information Officers Council, “Planning Guide/Roadmap toward IPv6 Adoption Within the U.S.
Government,” June 2012, https://cio.gov/wp-content/uploads/downloads/2012/09/
2012_IPv6_Roadmap_FINAL_20120712.pdf; Yannakogeorgos, “The Rise of IPv6.”
86
National Institute of Standards and Technology, “Estimating IPv6 & DNSSEC Deployment Status,” September 24,
2015, http://fedv6-deployment.antd.nist.gov/snap-all.html.

12 Congressional Research Service

 The Internet of Things: Frequently Asked Questions

agencies, and some data suggest that federal adoption plateaued in 2012.87 Data were not
available for this report on domains that are not public-facing, and it is not clear whether adoption
of IPv6 by federal agencies will affect their deployment of IoT applications.

High-Speed Internet
Use and growth of the IoT can also be limited by the availability of access to high-speed Internet
and advanced telecommunications services, commonly known as broadband, on which it
depends. While many urban and suburban areas have access, that is not the case for many rural
areas, for which private-sector providers may not find establishment of the required infrastructure
profitable, and government programs may be limited.88

Wireless Communications
Many observers believe that issues relating to access to the electromagnetic spectrum89 will need
to be resolved to ensure the functionality and interoperability of IoT devices. Access to spectrum,
both licensed and unlicensed, is essential for devices and objects to communicate wirelessly. IoT
devices are being developed and deployed for new purposes and industries, and some argue that
the current framework for spectrum allocation may not serve these new industries well.90

Standards
Currently, there is no single universally recognized set of technical standards for the IoT,
especially with respect to communications,91 or even a commonly accepted definition among the
various organizations that have produced IoT standards or related documents.92 Many observers
agree that a common set of standards will be essential for interoperability and scalability of
devices and systems.93 However, others have expressed pessimism that a universal standard is
feasible or even desirable, given the diversity of objects that the IoT potentially encompasses.94
Several different sets of de facto standards have been in development, and some observers do not

87
Ibid.; Mohana Ravindranath, “Government Outpacing Private Sector in IPv6 Adoption, Official Says,” NextGov:
CIO Briefing, May 18, 2015, http://www.nextgov.com/cio-briefing/2015/05/government-could-be-outpacing-private-
sector-ipv6-adoption/113056/.
88
For more information, see CRS Report R44080, Municipal Broadband: Background and Policy Debate, by Lennard
G. Kruger and Angele A. Gilroy, and CRS Report RL30719, Broadband Internet Access and the Digital Divide:
Federal Assistance Programs, by Lennard G. Kruger and Angele A. Gilroy.
89
Electromagnetic spectrum, commonly referred to as radio frequency spectrum or wireless spectrum, refers to
electromagnetic waves that, with applied technology, can transmit signals to deliver voice, text, and video
communications.
90
For more information, see CRS Report R43256, Spectrum Policy: Provisions in the 2012 Spectrum Act, by Linda K.
Moore.
91
Colin Neagle, “A Guide to the Confusing Internet of Things Standards World,” Network World, July 21, 2014,
http://www.networkworld.com/article/2456421/internet-of-things/a-guide-to-the-confusing-internet-of-things-
standards-world.html.
92
Minerva, Biru, and Rotondi, “Towards a Definition of the Internet of Things (IoT).”
93
See, for example, World Economic Forum, “Industrial Internet of Things: Unleashing the Potential of Connected
Products and Services.”
94
Christopher Null, “The State of IoT Standards: Stand by for the Big Shakeout,” TechBeacon, September 2, 2015,
http://techbeacon.com/state-iot-standards-stand-big-shakeout.

Congressional Research Service 13

The Internet of Things: Frequently Asked Questions

expect formal standards to appear before 2017. Whether conflicts between standards will affect
growth of the sector as it did for some other technologies is not clear.95

Other Technical Issues

Several other technical issues might impact the development and adoption of IoT. For example, if
an object’s software cannot be readily updated in a secure manner, that could affect both function
and security. Some observers have therefore recommended that smart objects have remote
updating capabilities.96 However, such capabilities could have undesirable effects such as
increasing power requirements of IoT objects or requiring additional security features to counter
the risk of exploitation by hackers of the update features.
Energy consumption can also be an issue. IoT objects need energy for sensing, processing, and
communicating information. If objects isolated from the electric grid must rely on batteries,
replacement can be a problem, even if energy consumption is highly efficient. That is especially
the case for applications using large numbers of objects or placements that are difficult to access.
Therefore, alternative approaches such as energy harvesting, whether from solar or other sources,
are being developed.97

Cybersecurity
The security of devices and the data they acquire, process, and transmit is often cited as a top
concern in cyberspace.98 Cyberattacks can result in theft of data and sometimes even physical
destruction. Some sources estimate losses from cyberattacks in general to be very large—in the
hundreds of billions or even trillions of dollars.99 As the number of connected objects in the IoT
grows, so will the potential risk of successful intrusions and increases in costs from those
incidents.
Cybersecurity involves protecting information systems, their components and contents, and the
networks that connect them from intrusions or attacks involving theft, disruption, damage, or
other unauthorized or wrongful actions.100 IoT objects are potentially vulnerable targets for
hackers.101 Economic and other factors may reduce the degree to which such objects are designed
with adequate cybersecurity capabilities built in. IoT devices are small, are often built to be
disposable, and may have limited capacity for software updates to address vulnerabilities that
come to light after deployment.

95
Lawson, “Why Internet of Things ‘Standards’ Got More Confusing in 2014,” PC World, December 24, 2014,
http://www.pcworld.com/article/2863572/iot-groups-are-like-an-orchestra-tuning-up-the-music-starts-in-2016.html.
96
See, for example, Roger Ordman, “Efficient Over-the-Air Software and Firmware Updates for the Internet of
Things,” Embedded Computing Design, April 10, 2014, http://embedded-computing.com/articles/efficient-software-
firmware-updates-the-internet-things/.
97
Keita Sekine, “Energy-Harvesting Devices Replace Batteries in IoT Sensors,” Core & Code, Q3 2014,
http://core.spansion.com/article/energy-harvesting-devices-replace-batteries-in-iot-sensors/.
98
See, for example, National Security Telecommunications Advisory Committee, “NSTAC Report to the President on
the Internet of Things.”
99
Center for Strategic and International Studies, “Net Losses: Estimating the Global Cost of Cybercrime” (McAfee,
June 2014), http://www.mcafee.com/us/resources/reports/rp-economic-impact-cybercrime2.pdf?cid=BHP028; World
Economic Forum, “Industrial Internet of Things: Unleashing the Potential of Connected Products and Services.”
100
CRS Report R43831, Cybersecurity Issues and Challenges: In Brief, by Eric A. Fischer.
101
Scott R. Peppet, “Regulating the Internet of Things: First Steps toward Managing Discrimination, Privacy, Security
& Consent,” Texas Law Review, Forthcoming, March 1, 2014, http://papers.ssrn.com/abstract=2409074.

14 Congressional Research Service

 The Internet of Things: Frequently Asked Questions

The interconnectivity of IoT devices may also provide entry points through which hackers can
access other parts of a network. For example, a hacker might gain access first to a building
thermostat, and subsequently to security cameras or computers connected to the same network,
permitting access to and exfiltration or modification of surveillance footage or other
information.102 Control of a set of smart objects could permit hackers to use their computing
power in malicious networks called botnets to perform various kinds of cyberattacks.103
Access could also be used for destruction, such as by modifying the operation of industrial
control systems, as with the Stuxnet malware that caused centrifuges to self-destruct at Iranian
nuclear plants.104 Among other things, Stuxnet showed that smart objects can be hacked even if
they are not connected to the Internet. The growth of smart weapons and other connected objects
within DOD has led to growing concerns about their vulnerabilities to cyberattack and increasing
attempts to prevent and mitigate such attacks, including improved design of IoT objects.105
Cybersecurity for the IoT may be complicated by factors such as the complexity of networks and
the need to automate many functions that can affect security, such as authentication.
Consequently, new approaches to security may be needed for the IoT.106
IoT cybersecurity will also likely vary among economic sectors and subsectors, given their
different characteristics and requirements. Each sector will have a role in developing
cybersecurity best practices, unique to its needs. The federal government has a role in securing
federal information systems, as well as assisting with security of nonfederal systems, especially
critical infrastructure.107 Cybersecurity legislation considered in the 114th Congress, while not
focusing specifically on the IoT, would address several issues that are potentially relevant to IoT
applications, such as information sharing and notification of data breaches.108

Safety
Given that smart objects can be used both to monitor conditions and to control machinery, the IoT
has broad implications for safety, with respect to both improvements and risks. For example,

102
Government Accountability Office, “Federal Facility Cybersecurity: DHS and GSA Should Address Cyber Risk to
Building and Access Control Systems,” December 12, 2014, http://www.gao.gov/products/GAO-15-6..
103
See, for example, Eduard Kovacs, “‘Spike’ DDoS Toolkit Targets PCs, Servers, IoT Devices: Akamai,” Security
Week, September 25, 2014, http://www.securityweek.com/spike-ddos-toolkit-targets-pcs-servers-iot-devices-akamai.
104
CRS Report R41524, The Stuxnet Computer Worm: Harbinger of an Emerging Warfare Capability, by Paul K.
Kerr, John W. Rollins, and Catherine A. Theohary.
105
Sydney J. Freedberg, Jr., “Cybersecurity Now Key Requirement for All Weapons: DoD Cyber Chief,” Breaking
Defense, January 27, 2015, http://breakingdefense.com/2015/01/cybersecurity-now-key-requirement-for-all-weapons-
dod-cio/; Patrick Tucker, “For Years, the Pentagon Hooked Everything to the Internet. Now It’s a ‘Big, Big Problem,’”
Defense One, September 29, 2015, http://www.defenseone.com/technology/2015/09/years-pentagon-hooked-
everything-internet-now-its-big-big-problem/122402/.
106
Benjamin Jun, “Make Way for the Internet of Things!” (RSA Conference 2014, San Francisco, CA, February 27,
2014), http://www.rsaconference.com/writable/presentations/file_upload/tech-r02-internet-of-things-v2.pdf; Benjamin
Jun, “Endpoints in the New Age: Apps, Mobility, and the Internet of Things” (RSA Conference 2015, San Francisco,
CA, April 21, 2015), https://www.rsaconference.com/writable/presentations/file_upload/eco-t07r-endpoints-in-the-
new-age-apps-mobility-and-the-internet-of-things.pdf.
107
Critical infrastructure was defined by the USA PATRIOT Act as “systems and assets, physical or virtual, so vital to
the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on
security, national economic security, national public health and safety, or any combination of those matters” (5 U.S.C.
§5195c(e)).
108
For more discussion of congressional and executive-branch actions in cybersecurity, see CRS Report R43831,
Cybersecurity Issues and Challenges: In Brief, by Eric A. Fischer, and related reports.

Congressional Research Service 15

The Internet of Things: Frequently Asked Questions

objects embedded in pipelines can monitor both the condition of the equipment and the flow of
contents. Among other benefits, that can help both to expedite shutoffs in the event of leaks and
to prevent them through predictive maintenance.109 Connected vehicles can help reduce vehicle
collisions through crash avoidance technologies and other applications.110 Wireless medical
devices can improve patient safety by permitting remote monitoring and facilitating adjustments
in care.111
However, given the complexities involved in some applications of IoT, malfunctions might in
some instances result in catastrophic system failures, creating significant safety risks, such as
flooding from dams or levees.112 In addition, hackers could potentially cause malfunctions of
devices such as insulin pumps113 or automobiles,114 potentially creating significant safety risks.

Privacy
Cyberattacks may also compromise privacy, resulting in access to and exfiltration of identifying
or other sensitive information about an individual. For example, an intrusion into a wearable
device might permit exfiltration of information about the location, activities, or even the health of
the wearer.
In addition to the question of whether security measures are adequate to prevent such intrusions,
privacy concerns also include questions about the ownership, processing, and use of such data.
With an increasing number of IoT objects being deployed, large amounts of information about
individuals and organizations may be created and stored by both private entities and governments.
With respect to government data collection, the U.S. Supreme Court has been reticent about
making broad pronouncements concerning society’s expectations of privacy under the Fourth
Amendment of the Constitution while new technologies are in flux, as reflected in opinions over
the last five years.115 Congress may also update certain laws, such as the Electronic
Communications Privacy Act of 1986, given the ways that privacy expectations of the public are
evolving in response to IoT and other new technologies.116 IoT applications may also create

109
Adam Lesser, “Internet of Things: The Influence of M2M Data on the Energy Industry” (GigaOm Research, March
4, 2014), http://research.gigaom.com/report/internet-of-things-the-influence-of-m2m-data-on-the-energy-industry/.
110
Cronin and Dopart, “Connected Vehicles—Improving Safety, Mobility, and the Environment.”
111
Couturier et al., “How Can the Internet of Things Help to Overcome Current Healthcare Challenges.”
112
AIG, “The Internet of Things: Evolution or Revolution?,” June 10, 2015, https://www.aig.com/Chartis/internet/US/
en/AIG%20White%20Paper%20-%20IoT%20English%20DIGITAL_tcm3171-677828.pdf.
113
FTC Staff, “Internet of Things: Privacy and Security in a Connected World.”
114
Ian Foster et al., “Fast and Vulnerable: A Story of Telematic Failures,” in Proceedings of the 9th USENIX
Conference on Offensive Technologies (USENIX Association, 2015), 15–15, https://www.usenix.org/system/files/
conference/woot15/woot15-paper-foster.pdf; Andy Greenberg, “Hackers Remotely Kill a Jeep on the Highway—With
Me in It,” accessed October 6, 2015, http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/.
115
In the 2010 case City of Ontario v. Quon, the Court sidestepped the question whether individuals have a reasonable
expectation of privacy in their electronic communications by resolving the case on other grounds (City of Ontario v.
Quon, 560 U.S. 746 (2010) [“The judiciary risks error by elaborating too fully on the Fourth Amendment implications
of emerging technology before its role in society has become clear.”]). Similarly, in the 2012 GPS tracking case United
States v. Jones, the majority avoided the question of whether people should expect privacy in their public movements
over a long period of time by instead relying on a hundreds-year-old trespass theory of the Fourth Amendment (United
States v. Jones, 132 S. Ct. 945, 954 [2012]). More recently, in the 2015 case California v.Riley, the Court held that the
government must obtain a warrant before accessing the data on a cellphone confiscated upon an arrest; however, the
ruling did not separately opine on the level of protections for data stored in the cloud, on which IoT applications will
undoubtedly rely (California v. Riley, 134 S. Ct. 2473, 2495 [2015]).
116
See, CRS Report R44036, Stored Communications Act: Reform of the Electronic Communications Privacy Act
(continued...)

16 Congressional Research Service

 The Internet of Things: Frequently Asked Questions

challenges for interpretation of other laws relating to privacy, such as the Health Insurance
Portability and Accountability Act and various state laws, as well as established practices such as
those arising from norms such as the Fair Information Practice Principles.117

Other Policy Issues

Federal Role
As described in the section, “What Is the Current Federal Role?” many federal agencies are
involved in different aspects of the IoT. Some business representatives and others have stressed
the role of effective public/private partnerships in the development of this technology space.118
However, observers have also expressed concerns about the role of government regulations and
policy, as discussed further in sections below, and about the degree and effectiveness of
coordination among the involved federal agencies.119 Concerns of some extend beyond the federal
role to that of state, local, and foreign governments.120
Given the eclectic nature of the IoT, overall coordination of federal efforts may be challenging
with respect to identification of both the goals of coordination and the methods for achieving
them. Nevertheless, several observers have argued in favor of a national strategy for the IoT,121
including in resolutions considered in the 114th Congress (see “What Actions Has Congress
Taken?”).
Some interagency initiatives have been established with respect to specific aspects of the IoT. For
example, in addition to the R&D coordination activities for cyber-physical systems under the
NITRD program,122 a specific framework has been developed for smart cities123 as part of the
overall White House initiative involving several federal agencies, local governments, and the
private sector.124

(...continued)
(ECPA), by Richard M. Thompson II and Jared P. Cole.
117
FTC Staff, “Internet of Things: Privacy and Security in a Connected World”; Thierer, “The Internet of Things and
Wearable Technology.”
118
See, for example, Brookings Institution, “Getting Smarter About Smart Cities”; House Committee on Energy and
Commerce, The Internet of Things: Exploring the Next Technology Frontier, 2015, http://energycommerce.house.gov/
hearing/internet-things-exploring-next-technology-frontier; House Committee on the Judiciary, Subcommittee on
Courts, Intellectual Property, and the Internet, Internet of Things.
119
See, for example, Gary Arlen, “Internet of Things Caucus Readies House Hearings,” Multichannel News, July 8,
2015, http://www.multichannel.com/blog/i-was-saying/internet-things-caucus-readies-house-hearings/392024; Darren
Samuelson, “The Agenda—Internet of Things,” July 2015, http://www.politico.com/agenda/issue/internet-of-things-
july-2015.
120
See, for example, Helen Rebecca Schindler et al., “Europe’s Policy Options for a Dynamic and Trustworthy
Development of the Internet of Things” (RAND Europe, July 26, 2013), http://www.rand.org/content/dam/rand/pubs/
research_reports/RR300/RR356/RAND_RR356.pdf; Thierer, “The Internet of Things and Wearable Technology.”
121
See, for example, Samuelson, “The Agenda—Internet of Things.”
122
See “What Is the Current Federal Role?” above.
123
Subcommittee on Networking and Information Technology Research and Development, Committee on Technology,
“Smart Cities and Connected Communities Framework,” September 11, 2015, https://www.nitrd.gov/sccc/.
124
The White House, “Fact Sheet: Administration Announces New ‘Smart Cities’ Initiative.”

Congressional Research Service 17

The Internet of Things: Frequently Asked Questions

Spectrum Access
Radio frequency (electromagnetic) spectrum is widely regarded as a critical link in IoT
communications, with reliable and affordable access to it required to accommodate the billions of
new IoT devices projected to go online over the next decade.125 New technology for mobile
communications is predicted to allow devices to operate on any available radio frequency and
potentially permit communications technologies and cyber-physical systems to converge
further.126 Concerns have been raised that current spectrum policy may favor consumer-oriented
mobile services and the wireless industry, rather than emerging markets for IoT devices, such as
transportation and manufacturing.127 Congress may therefore be faced with decisions about
whether the current policy needs to be revised.

Net Neutrality
The concept of “net neutrality” includes the two general principles that owners of the networks
that comprise and provide access to the Internet should not control how end users lawfully use
that network, and that they should not be able to discriminate against content provider access to
that network.128 The FCC adopted an order in February 2015 that established regulatory
guidelines to protect the marketplace from potential abuses that could threaten the net neutrality
concept.129 The order bans broadband Internet access providers (both fixed and wireless) from
blocking and throttling lawful content, and it prohibits paid prioritization of affiliated or
proprietary content.130 The order also creates a general conduct standard that Internet service
providers cannot harm consumers or providers of applications, content, and services. These rules
went into effect, with limited exceptions, on June 12, 2015, but have been challenged in the U.S.
Court of Appeals for the D.C. Circuit.131
It remains unclear how the FCC order will affect IoT devices and services. Some observers view
the implementation of FCC regulations as a positive development. They believe that it will ensure
openness and nondiscrimination for service providers, leading to the growth of new services and
consumer demand. Others have expressed concerns that the regulations will stifle investment and
innovation to the detriment of the expansion and growth of Internet deployment and services.
Furthermore, the rules are subject to “reasonable network management,” as defined by the FCC,
and a category of “specialized services” defined as those that “do not provide access to the
Internet generally” are exempt from the rules established by the order.132 Depending on how
individual IoT services and devices are categorized and the degree of network management such

125
CRS Report R43256, Spectrum Policy: Provisions in the 2012 Spectrum Act, by Linda K. Moore.
126
CRS Insight IN10191, What Is 5G? Implications for Spectrum and Technology Policy, by Linda K. Moore.
127
CRS Insight IN10221, The Robot Did It: Spectrum Policy and the Internet of Things, by Linda K. Moore.
128
For additional information on the net neutrality issue see CRS Report R40616, Access to Broadband Networks: The
Net Neutrality Debate, by Angele A. Gilroy, and CRS Report R43971, Net Neutrality: Selected Legal Issues Raised by
the FCC’s 2015 Open Internet Order, by Kathleen Ann Ruane.
129
Federal Communications Commission, “Protecting and Promoting the Open Internet; Final Rule,” Federal Register
80, no. 70 (April 13, 2015): 19738–850, http://www.gpo.gov/fdsys/pkg/FR-2015-04-13/pdf/2015-07841.pdf.
130
Paid prioritization occurs when a broadband Internet access provider accepts payment (monetary or otherwise) to
manage its network in a way that benefits particular content, applications, devices, or services.
131
The challenges were consolidated under U.S. Telecom Association v. FCC, D.C. Cir. No. 15-1063, April 14, 2015.
132
The FCC order cited heart monitors and energy consumption sensors as examples of “specialized services.” See
Federal Communications Commission, “Protecting and Promoting the Open Internet; Final Rule” para. 35.

18 Congressional Research Service

 The Internet of Things: Frequently Asked Questions

specialized services may need, the order could also affect IoT applications on a case-by-case
basis.

What Actions Has Congress Taken?

Legislation

Bills
No bills have been introduced in the last two Congresses relating specifically to the IoT.
However, many bills have been introduced with provisions related to aspects of the IoT such as
connected vehicles, cyber-physical systems, smart cities, and the smart grid. None of those bills
were enacted as of September 2015, although some bills with provisions on applications and
appropriations relating to telehealth and telemedicine were enacted in both the 113th and 114th
Congresses. Several bills in the 114th Congress would address issues that are potentially relevant
to IoT applications, such as information sharing in cybersecurity, privacy, and notification of data
breaches.133

Resolutions
Two similar resolutions on the IoT have been submitted in the 114th Congress, one in the House
(H.Res. 195/Lance, introduced April 13, 2015) and one in the Senate (S.Res. 110/Fischer,
introduced and passed March 24). Both call for
 a U.S. strategy for development of the IoT to improve social well-being while
allowing for innovation and protecting against misuse,
 recognition of the importance of a consensus-based approach and the role of
businesses in that development,
 federal government commitment to use the IoT, and
 a U.S. commitment to use the IoT for developing new technologies to address
challenging societal issues.
The House version also calls for the use of cost-benefit analysis to determine when federal action
is needed to address “discrete harms” in the marketplace. It also refers explicitly to energy
optimization and the need for cybersecurity.

Hearings
Both the House and the Senate have held hearings on the IoT in 2015. In the Senate, the
Committee on Commerce, Science, and Transportation held a hearing on February 11.134 In the
House, one was held by the Energy and Commerce Committee on March 24,135 and another by
the Subcommittee on Courts, Intellectual Property, and the Internet of the Committee on the

133
For more information, see CRS Report R43831, Cybersecurity Issues and Challenges: In Brief, by Eric A. Fischer,
and related reports.
134
Senate Committee on Commerce, Science, and Transportation, The Connected World: Examining the Internet of
Things, 2015, http://www.commerce.senate.gov/public/index.cfm/hearings?ID=d3e33bde-30fd-4899-b30d-
906b47e117ca.
135
House Committee on Energy and Commerce, The Internet of Things: Exploring the Next Technology Frontier.

Congressional Research Service 19

The Internet of Things: Frequently Asked Questions

Judiciary on July 29.136 The hearings featured witnesses from businesses and associations who
discussed the growth, uses, and economic potential of the IoT, as well as some of the issues
described in this report, such as privacy, regulation, security, spectrum management, and
standards.

Caucuses
There are several congressional caucuses that may consider issues associated with the IoT.
Among them are caucuses on cloud computing,137 cybersecurity,138 the Internet,139 and high-
performance buildings. In addition, new caucuses announced in this session included one
expressly on the Internet of Things,140 and one on smart transportation.141

Where Can I Find Additional Resources on This

Topic?
For additional assistance on the IoT and related topics, see CRS Report R44225, The Internet of
Things: CRS Experts, by Eric A. Fischer and Glenn J. McLoughlin. Congressional offices may
also contact CRS by placing a request via telephone or online through the CRS website (see
http://www.crs.gov/AboutCRS/Contact-Us).

Author Contact Information

Eric A. Fischer
Senior Specialist in Science and Technology
efischer@crs.loc.gov, 7-7071

Acknowledgments
This report was originally coauthored by Stephanie M. Logan while she was a CRS research assistant.
Stephanie performed most of the research and provided much of the organizational structure and text for
the report. Her insights and other contributions were invaluable.

136
House Committee on the Judiciary, Subcommittee on Courts, Intellectual Property, and the Internet, Internet of
Things.
137
Cloud Computing Caucus Advisory Group, “Home,” 2015, https://www.cloudcomputingcaucus.org/.
138
Congressional Cybersecurity Caucus, “Welcome,” 2015, http://cybercaucus.langevin.house.gov/.
139
Congressional Internet Caucus Advisory Committee, “NetCaucus,” 2015, http://www.netcaucus.org/.
140
The Honorable Suzan DelBene, “U.S. Reps. DelBene and Issa Announce Creation of the Congressional Internet of
Things Caucus” (Press Release, January 13, 2015), https://delbene.house.gov/media-center/press-releases/us-reps-
delbene-and-issa-announce-creation-of-the-congressional-internet.
141
Senator Gary Peters, “Peters, Gardner Announce New Bipartisan Smart Transportation Caucus” (press release, June
10, 2015), http://www.peters.senate.gov/newsroom/press-releases/peters-gardner-announce-new-bipartisan-smart-
transportation-caucus.

20 Congressional Research Service

 The Internet of Things: Frequently Asked Questions

The following CRS staff contributed to sections of this report: Angele A. Gilroy to “Net Neutrality,” Linda
K. Moore to “Spectrum Access,” Megan Stubbs to “Agriculture,” and Richard M. Thompson II and Jared
P. Cole to “Privacy.”

Congressional Research Service 21

 TOOLS I REQUIRE
SECURITY CHECK
🔐 1. Network Security Assessment
Nmap – Scans open ports and services on hosts.
Wireshark – Captures and analyzes network traffic.
Tcpdump – Command-line packet analyzer.
Snort – Network Intrusion Detection System (NIDS).
Zeek (formerly Bro) – Advanced network traffic analysis.

🧪 2. Vulnerability Scanning
Nessus – Comprehensive vulnerability scanner.
OpenVAS – Open-source vulnerability scanning.
Nikto – Scans web servers for dangerous files, outdated software, etc.
Qualys – Cloud-based scanner (enterprise-level).

🔍 3. Penetration Testing
Metasploit Framework – Exploitation framework for penetration testing.
Burp Suite – Web application security testing (has free and pro versions).
SQLmap – Automated SQL injection tool.
Hydra – Password brute-forcing tool.
Aircrack-ng – Wi-Fi penetration testing tool.

🧱 4. Web Application Security

OWASP ZAP – Zed Attack Proxy, great for detecting security issues in web apps.
Burp Suite – Again, critical for intercepting HTTP traffic and testing web app logic.
Wfuzz / Dirb – URL fuzzing for hidden files and directories.

🔑 5. Password Security
John the Ripper – Password cracking tool.
Hashcat – GPU-based password recovery tool.
CrackStation – Online password hash cracking tool (for legal use only).

🗄️ 6. Malware Analysis & Forensics

Autopsy – Digital forensics platform.
Volatility – Memory forensics tool.
Cuckoo Sandbox – Automated malware analysis.
PEStudio – Analyze executable files without running them.

🔍 7. Endpoint Detection & Response (EDR)

 Sysmon (Microsoft) – Logs system activity for forensic analysis.
OSSEC – Host-based Intrusion Detection System (HIDS).
ELK Stack (Elasticsearch, Logstash, Kibana) – Log management and analysis.
CrowdStrike Falcon / SentinelOne – Commercial EDR platforms.

🧠 8. Threat Intelligence & Monitoring

AlienVault OSSIM – Open-source SIEM.
Splunk – Popular for threat detection and log management.
TheHive – Incident response platform.
MISP (Malware Information Sharing Platform) – For threat intelligence sharing.

OTHERS

🧭 1. Reconnaissance (Passive & Active)

Learn what attackers can find before touching your network.

Tool Purpose Analyst Insight

theHarvester Email, domain, and Understand info leakage

username OSINT

Recon-ng Modular OSINT framework Builds recon reports

Shodan Discover exposed Know what attackers see

services/devices

🕸️ 2. Scanning & Enumeration

Simulate what attackers do to find weaknesses.
 Tool Purpose Analyst Insight

Nmap Port and service scanning Map attack surface

Netcat Manual port probing and Understand custom

backdoors connections

Enum4linux Enumerate Windows Spot exposed AD info

shares and users

🧪 3. Vulnerability Assessment
Scan for known weaknesses before attackers do.

Tool Purpose Analyst Insight

OpenVAS Vulnerability scanning Compliance readiness

Nikto Web server Catch misconfigurations

misconfiguration scan

Nessus (free/paid) Full vulnerability CVSS scoring, patch

assessment suite validation

💥 4. Exploitation (Safe Simulation)

Understand how exploits work to better defend against them.
 Tool Purpose Analyst Insight

Metasploit Exploit framework Simulate attacks in labs

Burp Suite (Free) Web app testing + payload Understand client/server

injection flaws

SQLmap SQL injection testing Test and fix DB-related

issues

🔍 5. Post-Exploitation & Lateral Movement

Know what an attacker could do after access.

Tool Purpose Analyst Insight

Mimikatz Extracts Windows Learn about credential

credentials abuse

BloodHound Maps AD attack paths See privilege escalation

routes

PowerView PowerShell-based recon Understand Windows

internals

🔐 6. Password Cracking & Brute-Forcing

Test the strength of internal or leaked credentials.
 Tool Purpose Analyst Insight

John the Ripper Offline password cracking Password strength auditing

Hashcat GPU-based cracking Crack faster in realistic

engine tests

Hydra Brute-force network Test login rate-limiting

services defenses

🧠 7. Reporting & Remediation

Your most critical role as an analyst: document, prioritize, and recommend.

Tool Purpose

Dradis Collaborative pentest reporting

Faraday Centralize findings from tools

Security Onion Blue-team defense + reporting stack

🔒 Lab Platforms to Practice Legally

Platform Description

TryHackMe Beginner-friendly gamified labs

Hack The Box Realistic scenarios for pentest & red

teaming

PentesterLab Web app and API security exercises

RangeForce / BlueTeam Labs Blue team and detection-oriented

challenges
✅ As a Cybersecurity Analyst, Learning Ethical Hacking Helps
You:
Identify security flaws proactively
Understand attacker methodologies
Improve incident response quality
Communicate risks with real-world examples
Build red-blue team collaboration
 Case Study
APT28 Cybergroup Activity
Michal Ostrowski
michal.ostrowski@fireeye.com
Tomasz Pietrzyk
tomasz.pietrzyk@fireeye.com
Copyright © 2014, FireEye, Inc. All rights reserved.
1
Instead of Marketing Slides… J

§ FireEye/Mandiant monitors about 300 APT groups over

the world continuously
– They represent various TTPs (tools, techniques, and practices)
and have various goals
– They have something in common – they are highly skilled and
extremely difficult to detect

2 Copyright © 2014, FireEye, Inc. All rights reserved.

Poland and Eastern Europe are not “no-APT-islands”…

3 Copyright © 2014, FireEye, Inc. All rights reserved.

APT28 Key Findings

§ APT28 targets insider information related to governments,

militaries, and security organizations that would likely
benefit the Russian government. APT28 primarily targets
Georgia, Eastern Europe, and
European security organizations
using skillfully engineered malware
which was created during normal
working hours in Moscow.

4 Copyright © 2014, FireEye, Inc. All rights reserved.

5 Copyright © 2014, FireEye, Inc. All rights reserved.
APT28 Primary Targets

GEORGIA EASTERN EUROPE SECURITY ORGANIZATIONS

APT28 likely seeks to collect APT28 has demonstrated APT28 appeared to target
intelligence about Georgia’s interest in Eastern European individuals affiliated with
security and political dynamics governments and security European security organizations
by targeting officials working for organizations. and global multilateral
the Ministry of Internal Affairs These victims would provide the institutions.
and the Ministry of Defense. Russian government with an The Russian government has
ability to predict policymaker long cited European security
intentions and gauge its ability to organizations like NATO and the
influence public opinion. OSCE as existential threats,
particularly during periods of
increased tension in Europe.
6 Copyright © 2014, FireEye, Inc. All rights reserved.
Targeting: Caucasus Region Militaries and Media

§ Georgian military
§ Armenian military
§ Kavkaz Center

Targeting journalists could provide APT28 and its sponsors

with a way to monitor public opinion, identify dissidents, spread
disinformation, or facilitate further targeting
7 Copyright © 2014, FireEye, Inc. All rights reserved.
Targeting: Eastern Europe

§ Ministry of Foreign Affairs in Southern EE infected

§ Polish government targeted with CORESHELL
– MH17 lure
§ Baltic Host exercises

8 Copyright © 2014, FireEye, Inc. All rights reserved.

Targeting: Eastern Europe

9 Copyright © 2014, FireEye, Inc. All rights reserved.

Targeting: European Security Organizations

§ NATO
§ OSCE

10 Copyright © 2014, FireEye, Inc. All rights reserved.

Targeting: Defense Attaches

§ UK
§ Turkey
§ China
§ Japan
§ South Korea

11 Copyright © 2014, FireEye, Inc. All rights reserved.

Targeting: Wide-ranging Interests
Other probable APT28 targets that we have identified:

§ Norwegian Army (Forsvaret) § European Embassy in Iraq

§ Government of Mexico § Special Operations Forces
§ Chilean Military Exhibition (SOFEX) in Jordan

§ Pakistani Navy § Defense Attaches in East Asia

§ U.S. Defense Contractors § Asia-Pacific Economic Cooperation

(APEC)
§ Al-Wayi News Site

12 Copyright © 2014, FireEye, Inc. All rights reserved.

Lures

13 Copyright © 2014, FireEye, Inc. All rights reserved.

Lures, cont.

14 Copyright © 2014, FireEye, Inc. All rights reserved.

15 Copyright © 2014, FireEye, Inc. All rights reserved.
APT28 Malware Created in Russia?

§ More than 50% of the malware samples with Portable

Executable (PE) resources included Russian language
settings
– significant portion of APT28 malware was compiled in a Russian
language build environment consistently over the course of six
years (2007 to 2013)
– over the time Russian language settings are being replaced by
neutral or English language

16 Copyright © 2014, FireEye, Inc. All rights reserved.

Russian language in the code

§ Locale and language identifiers associated with APT28

malware

17 Copyright © 2014, FireEye, Inc. All rights reserved.

APT28 Malware Created in Russia?

§ Compilation times
– Over 96% of the malware samples were compiled between
Monday and Friday
– More than 89% were compiled between 8AM and 6PM in the
UTC+3 / UTC+4 time zone, which parallels the working hours in
Moscow and St. Petersburg
– These samples had compile dates ranging from mid-2007 to
September 2014

18 Copyright © 2014, FireEye, Inc. All rights reserved.

When were developers working?

19 Copyright © 2014, FireEye, Inc. All rights reserved.

APT28 Malware Overview

§ Malware compile times suggest that APT28 developers

have consistently updated their tools over the last seven
years.
§ APT28 malware, in particular the family of modular
backdoors that we call CHOPSTICK, indicates a formal
code development environment
– Such an environment would almost certainly be required to track
and define the various modules that can be included in the
backdoor at compile time

20 Copyright © 2014, FireEye, Inc. All rights reserved.

APT28 Malware Overview, cont.
§ APT28 tailors implants for specific victim environments.
– They steal data by configuring their implants to send data out of
the network using for example a victim network’s mail server.
§ Several of APT28’s malware samples contain counter-
analysis capabilities
– runtime checks to identify an analysis environment
– obfuscated strings unpacked at runtime
– the inclusion of unused machine instructions to slow analysis
– RSA encryption of stolen data
21 Copyright © 2014, FireEye, Inc. All rights reserved.
 Malware: Ecosystem and Attack Lifecycle
Can be also a
compromised web site

Can be also JS/applet

Multi-vector / Multi-Flow
based exploit
Obfuscated/encrypted to
evade detection

Obfuscated/encrypted to EVILTOSS
evade detection, dedicated

CHOPSTICK

22 Copyright © 2014, FireEye, Inc. All rights reserved.

Malware

§ SOURFACE
– This downloader is typically called Sofacy within the cyber
security community.
– However because we have observed the name “Sofacy” used to
refer to APT28 malware generally (to include the SOURFACE
dropper, EVILTOSS, CHOPSTICK, and the credential harvester
OLDBAIT), we are using the name SOURFACE to precisely refer
to a specific downloader.
– This downloader obtains a second-stage backdoor from a C2
server

23 Copyright © 2014, FireEye, Inc. All rights reserved.

Malware, cont.
§ CORESHELL
– It is an updated version of SOURFACE
– Switched C2 Servers from hardcoded IPs into domains
– The compiled DLL name changed to coreshell.dll
– Minor changes to the network communications
§ EVILTOSS
– this backdoor has been delivered through the SOURFACE downloader to gain
system access for reconnaissance, key logging, monitoring, credential theft, and
shellcode execution
– The backdoor encrypts data that it uploads with an RSA public key
– Many of its variants we have seen are named netui.dll.
– EVILTOSS variants may use the Simple Mail Transfer Protocol (SMTP) to send
stolen data in an attachment named “detaluri.dat”

24 Copyright © 2014, FireEye, Inc. All rights reserved.

Malware, cont.
§ CHOPSTICK
– This is a modular implant compiled from a software framework that provides
tailored functionality and flexibility (for example to use local network resources
such as email server)
– CHOPSTICK variant contained modules and functions for collecting keystroke
logs, Microsoft Office documents, and PGP files
§ CHOPSTICK variants may move messages and information using:
1. Communications with a C2 server using HTTP
2. Email sent through a specified mail server. All information required for the
email was hardcoded in the backdoor.
3. Local copying to defeat closed networks by routing messages between local
directories, the registry and USB drives

25 Copyright © 2014, FireEye, Inc. All rights reserved.

Malware, cont.

§ OLDBAIT
– It is a credential harvester
– Installs itself in %ALLUSERPROFILE%\\Application  Data\  
Microsoft\MediaPlayer\updatewindws.exe
– Credentials for the following applications are collected: Internet
Explorer, Mozilla Firefox, Eudora, The Bat! (an email client),
Becky! (an email client)
– Both email and HTTP can be used to send out the collected
credentials

26 Copyright © 2014, FireEye, Inc. All rights reserved.

 Malware: Updated Since 2007

§ New network traffic formats, export functions, filenames

§ Removed Russian language resources
§ The hostname, volume serial number and OS version
data are encoded in the new URL format.

Example of modified SOURFACE vs. CORESHELL

communications Example CORESHELL POST request

27 Copyright © 2014, FireEye, Inc. All rights reserved.

Conclusion
§ FireEye started researching APT28 based on activity we
observed on our clients’ networks, similar to other
targeted threat groups we have identified over time
§ APT28’s characteristics: their targeting, malware,
language, and working hours, have led us to conclude
that we are tracking a focused, long-standing espionage
effort
§ Given the available data, we assess that APT28’s work is
sponsored by the Russian government

28 Copyright © 2014, FireEye, Inc. All rights reserved.

Additional Information

§ FireEye Blog
https://www.fireeye.com/blog/threat-research/2014/10/apt28-a-window-
into-russias-cyber-espionage-operations.html

§ Indicators (IOC) to help organizations detect APT28

activity
https://github.com/fireeye/iocs

29 Copyright © 2014, FireEye, Inc. All rights reserved.

Questions?

30 Copyright © 2014, FireEye, Inc. All rights reserved.

🧱 PHYSICAL LAYER — The Foundation of Communication 🌍
🧠 PURPOSE:
The Physical Layer is responsible for the actual transmission of raw bits—0s and 1s—over a
physical communication channel. It's where abstract binary data becomes tangible, transmittable
energy: voltages, light pulses, or electromagnetic waves.

⚙️ KEY FUNCTIONS OF THE PHYSICAL LAYER

1. 🧩 Bit Representation
Data Unit: Bit (binary digit, either 0 or 1).
Converts digital data (e.g., 01001101) into physical signals:
Voltage (copper)
Light (fiber optic)
Radio waves (wireless)

🧪 Example:
Bit 1 = +5V
Bit 0 = 0V
This is called binary voltage signaling.

2. 🌐 Physical Medium and Transmission Techniques

Defines the medium and the signal type:

🧵 Twisted Pair Cable

Common in Ethernet.
Uses differential signaling to cancel out noise.
E.g., Cat 5e, Cat 6, Cat 7.

🔌 Coaxial Cable
Copper core with shielding.
Higher bandwidth than twisted pair.
Used in older broadband networks.

💡 Fiber Optics
Uses light pulses for transmission.
Immune to electromagnetic interference.
Supports long distances and very high bandwidth (up to Tbps).

📶 Wireless Media
Uses radio frequencies, microwaves, or infrared.
Signal is affected by interference, attenuation, and obstacles.
3. 🔄 Transmission Modes
Defines directionality of data flow:

Mode Description Example

Simplex One-way only TV broadcast

Half-duplex Two-way, but only Walkie-talkie

one side at a time

Full-duplex Two-way, Phone call, modern

simultaneously Ethernet

4. 🎚️ Encoding and Modulation

How bits are converted into signals for the medium.

🧾 Line Encoding (Digital to Digital)

NRZ (Non-Return-to-Zero): Simplest, 1 = High, 0 = Low
Manchester Encoding: 1 = High→Low, 0 = Low→High (self-clocking)
4B/5B: Improves synchronization and signal integrity.

📡 Modulation (Digital to Analog for analog mediums)

ASK (Amplitude Shift Keying): Bit represented by amplitude.
FSK (Frequency Shift Keying): Bit represented by frequency.
PSK (Phase Shift Keying): Bit represented by phase change.
Used in DSL, Wi-Fi, satellite.

5. 🕰️ Synchronization
Ensures sender and receiver agree on bit timing (when a bit starts/ends).

Asynchronous transmission: Start/stop bits used.

Synchronous transmission: Uses clock signals or self-clocking encoding (e.g., Manchester).

6. 🧮 Bit Rate vs. Baud Rate

Bit rate: Number of bits transmitted per second (bps).
Baud rate: Number of signal changes per second.
One baud ≠ one bit (e.g., with QPSK, 1 baud = 2 bits)

7. 🌐 Network Topology (Physical)

Determines how devices are physically arranged:

Topology Description Diagram

Bus All nodes share a [Device]—[Device]

single cable —[Device]

Star Central switch/hub Center—[Device],

connects all nodes Center—[Device]

Ring Each device A—B—C—D—A

connected to two
others

Mesh Devices Every node

interconnected connects to every
other

8. 🧷 Line Configuration
Point-to-Point: Direct link between two devices.
Multipoint: Shared link between multiple devices.

🔐 PHYSICAL LAYER SECURITY CONCERNS

 Threat Description Countermeasure

Cable Tapping Attacker physically Use fiber optics,

intercepts wired encrypted payload
signal

Signal Jamming Disrupting wireless Spread-spectrum,

signals frequency hopping

Hardware Physical sabotage Tamper-evident

Tampering or modification casings, cameras

📦 DEVICES THAT OPERATE ON PHYSICAL LAYER

Device Function

Hub Forwards bits to all ports

Repeater Regenerates and amplifies

signal

Modem Modulates/demodulates digital

and analog

Media Converter Converts one medium to

another

🧠 RECAP
Concept Key Points

Goal Transmit raw bits as physical

signals

Data Unit Bit (0 or 1)

Key Functions Transmission, encoding, media

specification

Examples of Media Twisted pair, coax, fiber,

wireless

Vulnerabilities Physical tapping, jamming,

interference
Classifying Cyber Events: A
Proposed Taxonomy
By Charles Harry, PhD, and Nancy Gallagher, PhD

CISSM Working Paper

February 2018

Center for International and Security Studies at Maryland

4113 Van Munching Hall, School of Public Policy
University of Maryland
College Park, MD 20742
(301) 405-7601
Abstract

Publicity surrounding the threat of cyber-attacks continues to grow, yet immature classification
methods for these events prevent technical staff, organizational leaders, and policy makers from
engaging in meaningful and nuanced conversations about the risk to their organizations or
critical infrastructure. This paper provides a taxonomy of cyber events that is used to analyze
over 2,431 publicized cyber events from 2014-2016 by industrial sector. Industrial sectors vary
in the scale of events they are subjected to, the distribution between exploitive and disruptive
event types, and the method by which data is stolen or organizational operations are disrupted.
The number, distribution, and mix of cyber event types highlight significant differences by
sector, demonstrating that strategies may vary based on deeper understandings of the threat
environment faced across industries.

Classifying Cyber Events: A Proposed Taxonomy 2

Introduction

Network security is increasingly recognized as a strategic vulnerability as a growing number of

corporate intrusions are reported. These breaches can affect customer privacy, confidence in a
company’s ability to protect core intellectual property, and essential operations. Large numbers
of intrusions have also occurred into government networks, with recent high-profile breaches
including a significant compromise at the Office of Personal Management (OPM) and at the
credit monitoring service Equifax.

As the private and public sectors grapple with the problem of cyber events, disagreement
remains regarding what can and should be done. Technical solutions, organizational resiliency,
employee education, and improvements in system controls are among many options to reduce
risk. Yet, they are rarely evaluated as part of a strategic approach for addressing diverse threats,
which vary by industry.

Confusion about threats and response options originates in part from imprecision in how we
categorize and measure the range of disruptive cyber events. By failing to recognize the
distinctions between specific forms of attack, the effects they produce on the targeted networks,
the financial strain they place on the targeted organizations, or their broader effects on society,
this confusion leads to the misallocation of resources.

This paper provides a new taxonomy that expands on earlier work by the author and colleagues
to classify cyber incidents by the range of disruptive and exploitative effects produced. It applies
the taxonomy in a sector-based analysis of 2,431 publicized cyber events from 2014-2016. It
finds some striking differences across industries in the scale, method of attack, and distribution
of effect. Government and Professional Services face the largest number of attacks. Governments
experience a mix of disruptive and exploitive events, whereas retail and hotel operators primarily
face exploitive attacks. These findings highlight the need for deeper analysis by sector to assess
the risk for specific organizations and critical infrastructure. They also suggest the importance of
tailoring risk mitigation strategies to fit the different threat environments in various sectors.

Cyber Taxonomies

A confusing array of cyber threat classification systems have been proposed over the past two
decades. Some are based on different phases of the hacking process, while others focus on
specific targets. For example, de Bruijne et al (2017) has created a classification of actors and
methods, whereas Gruschka (2010) develops a taxonomy of attacks against cloud systems. Other
classification approaches focus on specific techniques, such as Distributed Denial of Service or
DDoS attacks (Mirkovic 2004); specific targets, such as browsers (Gaur 2015); or particular IT
capabilities, such as industrial control systems (Zhu 2017) and smart grids (Hu 2014).

Few taxonomies in the information security literature seek to classify events by impact on the
target, the key question for risk assessment. Only two (Howard 1998) and (Kjaerland 2005)
directly propose categories of the effect to the victim. Others including Hansman (2005) focus on

Classifying Cyber Events: A Proposed Taxonomy 3

the attack vector, vulnerabilities, and exploits, while incorporating Howard’s work on effect
categories as part of their broader classification system.

Howard’s widely cited taxonomy includes classification methods for attackers, objectives, tools,
access, and impact. He divides the impact of cyber activity, described as the “unauthorized
results,” into five categories: Corruption of Data, Disclosure of Information, Denial of Service,
Increased Access, and Theft of Service.

Kjaerland (2005) classifies cyber effects differently and as belonging to one of four categories:
Disrupt, Distort, Destruct, and Disclosure. He develops these categories in concert with other
dimensions of analysis to evaluate the linkage between sector, actor, method, and target.

Both of these effect-based taxonomies fail to meet basic standards of a well-defined taxonomy
(Ranganathan 1957), including:

Exclusiveness - No two categories should overlap or should have the same scope and boundaries.

Ascertainability - Each category should be definitively and immediately understandable from its
name.

Consistency - The rules for making the selection should be consistently adhered to.

Affinity and Context - As you move from the top of the hierarchical classification to the bottom,
the specification of the classification should increase.

Currency - Names of the categories in the classification should reflect the language in the
domain for which it is created.

Differentiation -When differentiating a category, it should give rise to at least two subcategories

Exhaustiveness - The classification should provide comprehensive coverage to the domain of

interest.

Howard’s taxomony fails the exhaustiveness requirement because some important and
increasingly common types of cyber events do not fit any of its categories. Examples of these
omissions include attacks on Supervisory Control and Data Acquisition (SCADA) systems, data
deletion resulting from the use of wiper viruses, or social media account hijacking and website
defacement.

The Howard taxonomy also fails the test of exclusivity by including two overlapping effects
categories: Increased Access and Theft of Resources. Most hackers seek greater access and
misuse system resources as a means to an end, not as the final result. Their ultimate goal is not
just access, but the illicit acquisition of information or the disruption of organizational services.
For example, if a hacker wanted to illicitly gain and disseminate information about a company,
they would first obtain unauthorized use of a specific computer or network. Using Howard’s

Classifying Cyber Events: A Proposed Taxonomy 4

categorization of that activity we would have to define a hack of a company database as both a
Theft of Resources as well as a Disclosure of Information event type.

Kjaerland’s classification system also fails important tests for a well-designed taxonomy. By
allowing the same event to be assigned to multiple categories, it violates the criteria of
exclusivity and consistency. For example, Kjaerland’s definition of Destruct notes that “Destruct
is seen as the most invasive and malicious and may include Distort or Disrupt.”

Kjaerland also fails the test of context by mixing impact classification (e.g. destruction of
information) with specific tactics or tools. For example, in his definition of Disrupt he classifies
use of a Trojan as a Disrupt event. However, a Trojan is a technique of hiding a malicious
program in another. That technique can cause many different types of effects depending on
whether it is used to steal or destroy information.

A New Taxonomy

This paper extends previous work (Harry 2015) (Harry & Gallagher 2017) to offer a new
taxonomy for classifying the primary effects on a target of any given cyber event.

I define a cyber event as the result of any single unauthorized effort, or the culmination of many
such technical actions, that engineers, through use of computer technology and networks, a
desired primary effect on a target. For example, if a hacker used a spearphish email to gain
access and then laterally moved through the network to delete data on five machines, that would
count as a single event type whose primary effect resulted in the destruction of data. This
encapsulation of hacker tactics and tradecraft into specification of the primary effect of those
actions is what I define as a cyber event.

In the risk assessment framework developed at the Center for International and Security Studies
at Maryland (CISSM), primary effects are the direct impacts to the target organization’s data or
IT-enabled operations. Cyber events can also cause secondary effects to the organization, such as
the financial costs of replacing equipment damaged in an attack, a drop in the organization’s
stock price, due to bad publicity from the attack, or a loss of confidence in the organization’s
ability to safeguard confidential data. And, they can cause second order effects on individuals or
organizations who rely on the targeted organization for some type of goods or services. These
could include effects on the physical environment, the supply chain, or even distortions an attack
might have on an individual’s attitudes, preferences, or opinion deriving from the release of
salacious information. While these are important areas to consider, they are outside of the scope
of this paper.

Any given cyber event can have one of two types of primary objectives: the disruption to the
functions of the target organization, or the illicit acquisition of information. An attacker might
disrupt an organization’s ability to make products, deliver services, carry out internal functions,
or communicate with the outside world in a number of ways. Alternatively, hackers may seek to
steal credit card user accounts, intellectual property, or sensitive internal communications to get
financial or other benefits without disrupting the organization’s operations.

Classifying Cyber Events: A Proposed Taxonomy 5

 Figure 1: Cyber Event Taxonomy

Disruptive Events

A malicious actor may utilize multiple tactics that have wildly different disruptive effects
depending on how an organization uses information technology to carry out its core functions.
For example, an actor could delete data from one or more corporate networks, deploy
ransomware, destroy physical equipment used to produce goods by manipulating Supervisory
Control and Data Acquisition (SCADA) systems, prevent customers from reaching an
organization’s website, or deny access to a social media account.

Disruptive effects can be classified into five sub-categories depending on the part of an
organization’s IT infrastructure that is most seriously impacted, regardless of what tactic or
techniques were used to accomplish that result. They are: Message Manipulation, External
Denial of Service, Internal Denial of Service, Data Attack, and Physical Attack.

Message Manipulation. Any cyber event that interferes with a victim’s ability to accurately
present or communicate its “message” to its user or customer base is a Message Manipulation
attack. These include the hijacking of social media accounts, such as Facebook or Twitter, or
defacing a company website by replacing the legitimate site with pages supporting a political
cause. For example, in 2015, ISIS affiliated hackers gained access to the YouTube and Twitter
accounts for US CENTCOM. The hackers changed the password, posted threatening messages to
U.S. Service members, and replaced graphics with ISIS imagery (Lamothe 2015). Similarly, in
2016, the website for the International Weightlifting Federation (IWF) was defaced after a
controversial decision to disqualify an Iranian competitor (Cimpanu 2016). Both events used
different tactics, but the primary effect on the targeted organization’s ability to interact with its
audience was the same.

Classifying Cyber Events: A Proposed Taxonomy 6

External Denial of Service. If an attacker executes a cyber-attack from devices outside the target
organization’s network that degrades or denies the victim’s ability to communicate with other
systems, it is classified as an External Denial of Service event. For example, the 2016 Mirai
botnet attack leveraged a compromised set of devices worldwide to overwhelm the DYN
corporation with domain name look-up requests, causing a number of major internet platforms
and services that rely on DYN’s services to stop functioning for many hours (Woolf 2016).
While there are many types of Distributed Denial of Service (DDoS) attacks (ICMP flood, SYN
flood, ping of death, etc.), any of those techniques would produce outcomes that fit the External
Denial of Service cyber event category.

Internal Denial of Service. When a cyber event executed from inside a victim’s network
degrades or denies access to other internal systems, it is an Internal Denial of Service attack. For
instance, an attacker who had gained remote access to a router inside an organization’s network
could reset a core router to factory settings so that devices inside the network could no longer
communicate with one another. The anti DDOS vendor Staminus apparently experienced such an
internal denial of service attack in 2016. It issued a public statement that “a rare event cascaded
across multiple routers in a system-wide event, making our backbone unavailable.” (Reza 2016).
An attacker using malware installed on a file server to disrupt data sent and received between
itself and a user workstation would achieve a similar effect.

Data Attack. Any cyber event that manipulates, destroys, or encrypts data in a victim’s network
is categorized as a Data Attack. Common techniques include the use of wiper viruses and
ransomware. Using stolen administrative credentials to manipulate data and violate its integrity,
such as changing grades in a university registrar’s database would also fit this category. For
example, in 2017 the mass deployment of the NotPeyta ransomware resulted in thousands of data
attack cyber events against individuals as well as to small, medium, and large businesses, with
one case costing the shipping firm Maersk over $200 million (Matthews 2017).

Physical Attack. A cyber event that manipulates, degrades, or destroys physical systems is
classified as a Physical Attack. Current techniques used to achieve this type of effect include the
manipulation of Programable Logic Controllers (PLC) to open or close electrical breakers or
utilize user passwords to access and change settings in a human machine interface to overheat a
blast furnace, causing damage to physical equipment. For example, in the December 2015 cyber-
attack on a Ukrainian utility, a malicious actor accessed and manipulated the control interface to
trip several breakers in power substations. This deenergized a portion of the electrical grid and
tens of thousands of customers lost power for an extended period of time (Lee et al 2016).

Exploitive Events

Some cyber events are designed to steal information rather than to disrupt operations. Hackers
may be seeking customer data, intellectual property, classified national security information, or
sensitive details about the organization itself. While the tactics or techniques used by malicious
actors may change regularly, the location from which they get that information does not. I define
five categories of an exploitive event below: Exploitation of Sensors, Exploitation of End Hosts,

Classifying Cyber Events: A Proposed Taxonomy 7

Exploitation of Infrastructure, Exploitation of Application Servers, and Exploitation of Data in
Transit.

Exploitation of Sensors. A cyber event that results in the loss of data from a peripheral device
like a credit card reader, automobile, smart lightbulb, or a network-connected thermostat is
categorized as an Exploitation of Sensor event. The attack on Eddie Bauer stores where hackers
gained access to hundreds of Point of Sale machines and systematically stole credit card numbers
from thousands of customers fits this category (Krebs 2016). Other examples include illicit
acquisition of technical, customer, personal, or organizational data from CCTV cameras, smart
TVs, or baby monitors.

Exploitation of End Hosts. Hackers often are interested in the data stored on user’s desktop
computers, laptops, or mobile devices. When data is stolen through illicit access to devices used
directly by employees of an organization or by private individuals it is categorized as an
Exploitation of End Host cyber event. Tactics used in this type of attack include sending a
malicious link for a user to click or leveraging compromised user credentials to log in to an
account.

Exploitation of Network Infrastructure. When data is compromised through direct access to

networking equipment such as routers, switches, and modems, the attack is classified as an
Exploitation of Network Infrastructure event. These types of events involve a hacker who,
through use of an exploit or credential compromise, gains direct access to the underlying
infrastructure. For example, a malicious actor who used a vulnerability in the CISCO IOS
operating system to steal configuration information from an organization’s core routing
infrastructure would engineer an Exploitation Network Infrastructure cyber event.

Exploitation of Application Server. Malicious actors who, through misconfiguration or

vulnerability, gain access to data contained in a server-side application (e.g. database) or on the
server itself would generate an Exploitation of Application Server event. A hacker using a SQL
injection to access millions of customer records or the direct access of an e-mail server with all
organizational correspondence would fit into this category. For instance, the compromise of data
in the Office of Personnel Management was the result of access by a malicious actor to a
database hosted on a server (Koerner 2016). Stealing the data required several steps and months
of work, but the event is classified by its ultimate outcome—loss of sensitive information from
central servers hosting large database applications.

Exploitation of Data in Transit. Hackers who acquire data as it is being transmitted between
devices cause Exploitation of Data in Transit events. Examples of this type of event include the
acquisition of unencrypted data as it is sent from a PoS device to a database or moved from an
end-user device through an unsecured wireless hotspot at a local coffee shop.

Classifying Cyber Events: A Proposed Taxonomy 8

Testing the Taxomony on Cyber Events 2014-2016

The best way to assess how well this classification system meets the criteria for a well-defined
taxonomy is to see whether it can be easily and unambiguously used to categorize all the events
in an extensive data set.

Unfortunately, there are no public datasets of cyber attacks that include a variety of cyber events
with a range of both exploitive and disruptive effects. Most public data repositories focus on
some types of events to the exclusion of others. The Privacy Rights Clearinghouse, for example,
has a dataset focused on domestic exploitive attacks, while the blog H-zone.org has a dataset
focused on website defacement attacks (a subset of Message Manipulation). Other datasets are
on privately maintained blogs and webpages. Some do not use a repeatable process to classify or
categorize by sector thereby limiting the range of analysis that can be applied. Others are
compiled from proprietary data or are only available for a steep fee.

To create a dataset that had the information needed to test the CISSM taxonomy, the author used
systematic web searches to identify cyber events that could be characterized by their effects.
Initial searches for generalized references to cyber attacks yielded 3,355 possible events that
were referenced by blogs, security vendor portals, or other English-language news sources from
January 2014 through December 2016.

Of the initial 3,355 candidate cyber events initially discovered, 2,431 were included in the
dataset (72%). Media reports about 909 of the candidate events were broad discussions of
malware campaigns or generalized discussions about threat actor plans and tactics. These were
excluded because they did not provide information on the primary effect to a specific victim.
Media reports about an additional 15 events specifically spoke to the tactics used by the threat
actor independent of the effect to the primary victim, so they were also discarded. For example,
one source discussed the use of compromised Amazon Web services credentials to access a
system but did not talk about what types of actions took place once in the target network.

In complex cases where the victim suffered multiple effects (e.g. website defacement and
DDoS), the dataset counts each effect as a separate, but overlapping, event registered to the
victim. Cyber events were coded to include date, event type, organization type (using the North
American Industrial Classification System (NAICS), a description of the event, and a link to the
source.

This dataset is not an exhaustive accounting of all cyber events during this period. It only
includes events for which there was a direct news source that was verifiable and that provided
some insight into the methods of the attack. The true population of malign cyber activity is
unknown because some significant events are kept secret and many other cyber incidents are too
trivial to warrant media attention. Nevertheless, this dataset includes a large enough number of
events for it to be useful for testing the taxonomy and making rough generalizations about
relative frequencies of different types of events in different sectors.

As discussed earlier, a well-designed taxonomy should, among other things, account for all the
items to be classified, clearly differentiate among categories, ensure that each item has a unique

Classifying Cyber Events: A Proposed Taxonomy 9

classification, and have clear rules that can be consistently applied. The CISSM cyber event
taxomony easily passed each test.

Each of the 2,431 events in the dataset could be coded as either Exploitive or Disruptive and
assigned to one of ten effect-based sub-categories in the CISSM taxonomy. This fulfills the
exhaustiveness requirement. Treating complex attacks in which multiple effects were achieved
by the hacker as a set of separate but overlapping events made it possible to apply the taxonomy
in a consistent manner, to differentiate between categories of effect, and to maintain clear
differentiation between the categorized effects. This analysis did not assess the taxonomy’s
currency, ascertainability, or affinity, because these standards should be judged by individual
users rather than the creator of the taxonomy.

Many cyber classification systems run into the same three major problems: Their inability to
distinguish between tactics and effects; their difficulty remaining relevant as threat actors change
and hacking techniques evolve; and their applicability to some types of IT systems, but not
others. The CISSM taxonomy disentangles stable categories of effects from the rapidly
advancing tactics employed by an ever-changing set of state and non-state hackers in a way that
can be applied to all IT systems in use today or envisioned for the future.

Using the Taxonomy to Analyze Cyber Events

Categorizing cyber events according to their effects rather than treating them as an
indistinguishable, but ever increasing, mass of “cyberattacks” yields a number of useful insights.
Of the 2,431 cyber events during the three-year period reviewed, over 70 percent (1,700) were
exploitive, whereas 30 percent (725) were disruptive. This ratio appears to relatively stable when
examining events on a yearly basis, too. Of the 633 events recorded in 2014, 67 percent (423)
were exploitive, and 33 percent (210) were disruptive. Of the 843 cyber events in 2015, 67
percent (563) were exploitive and 33 percent (280) were disruptive. And of the 955 events
recorded in 2016, 75 percent (714) were exploitive events, compared with 25 percent (241) that
were disruptive.

Of the 1,700 exploitative events, the two most common sub-categories are Exploitation of
Application Server events and Exploitation of End Host events. Ninety percent of all exploitive
events in the dataset fall into one of these two categories. This reflects the current popularity of
SQL injection attacks against web applications, and the heavy use of spearphising campaigns
against end users.

A much smaller percentage of exploitative attacks fall into the other three categories, most likely
because these types of events often require internal access, are inherently more difficult to pull
off, are not as well monitored, or are not as well publicized. Exploitation of Sensor events
represent only 5 percent of the exploitive events sample, probably because the value of data from
many of the devices in this category, like smart thermostats and baby monitors, might not be as
large as records from other sources. Whereas a ready market exists on the Dark Web for
customer data stolen from POS devices, most types of sensor data will not be of broad interest.

Classifying Cyber Events: A Proposed Taxonomy 10

The remaining 5 percent (90) of cyber events were divided between Exploitation of Network
Infrastructure (70 events) and Exploitation of Data in Transit (20 events). These events often
reflected the efforts of more skilled hackers who can leverage toeholds in networks to expand
internal access and acquire information either from network infrastructure such as file shares or
from unencrypted data passed internally through the network.

The 725 disruptive cyber events in the dataset follow a similar pattern with most activity falling
into categories that are generally less problematic. Ninety-six percent of all disruptive events are
either Message Manipulation (60 percent, 433) or External Denial of Service (36 percent, 263)
events. This events reflect efforts by malign actors using less sophisticated techniques to deface
websites that are vulnerable to external access and manipulation, weak passwords surrounding
social media accounts, or high levels of DDoS activity applied by actors against identified
targets.

The remaining 5 percent (29 events), are split between Internal Denial of Service (2 percent, 11
events), Data Attack (2 percent, 14 events), or Physical Attack (1 percent, 4 events). These types
of events involved internal networks, so they required more sophisticated access techniques or
malware leveraged to engineer the intended disruptive effects.

Sector Analysis for Cyber Events

While looking at a general breakdown of cyber

event type is useful, further analysis by sector
reveals interesting variation of effect between
industries. To conduct this analysis, the author
coded the 2,431 cyber events collected using the
North American Industrial Classification System
(NAICS), a hierarchical classification system
commonly used by the U.S. government and
industry to collect, analyze, and publish
information on the U.S. economy. The data set
likely reflects over or under sampling in some
industries and event types with specific state and
federal laws requiring the publication of cyber-
attacks with others not requiring the same
notification. For example, the State of
Maryland’s Personal Information Protection Act
imposes a 45-day notification requirement for
businesses to notify residents when their personal
data has been compromised, yet there is no such
requirement when a business’ website has been
defaced.
Figure 2: Share of all Cyber Events by Sector
An analysis of cyber event activity by sector
reveals three interesting themes. First, while

Classifying Cyber Events: A Proposed Taxonomy 11

most industry sectors are represented in the data, some appear to be targeted by malicious actors
more frequently. Second, the distribution between exploitive and disruptive event types varies by
sector, with some sector’s distribution diverging significantly from the overall average. Finally,
industrial sectors experience a range of event types, with some industries experiencing very
specific categories of effect while others being targeted for a broad range of effects.

In Figure 2, the level of cyber event activity in different sectors is ranked into three tiers—High,
medium, and low—to identify which sectors are currently most prone to the types of
cyberattacks that make it into the public record. Sectors that experience more than 15 percent of
all cyber events in our dataset fit into the highest tier. Government services and professional
services fall into this category; together, they account for 38 percent of all events recorded.

Medium-activity sectors include those that see at least 3.8 percent, but less than 15 percent, of
the events in the full dataset. Sectors falling into this tier include information services, education,
healthcare, finance, retail, entertainment, and accommodation services. The nine sectors in this
category experienced approximately 56.7 percent of the total number of cyber events, suggesting
that a larger breadth of industries is affected by significant numbers of cyber events.

The lowest activity tier includes sectors that had fewer than 3.8 percent of the total events. This
tier includes traditional industries that are less dependent on information technology than other
sectors of the modern economy, such as agriculture, mining, real estate, and construction. Two
sectors considered critical infrastructure—transportation and utilities—also fell into this tier.

In addition to the frequency of event activity, the nature of those effects is also an important
factor in assessing risk to specific sectors. In Figure 3, the percentage of total cyber events
characterized as exploitive is plotted versus the percentage that are disruptive in nature. Only the
ten sectors with the highest frequencies of cyber events are represented in the figure, as many of
the low tier sectors have too few observations to draw meaningful conclusions.

Figure 3: Exploitive vs Disruptive as a Share of Total Events for Top 10 Industry Sectors

Classifying Cyber Events: A Proposed Taxonomy 12

Among the industries that are represented, there appears to be significant differences in the
relative frequencies of exploitative versus disruptive events. For instance, the Retail and
Accommodation and Food Services sectors predominately experience exploitation events (>95
percent Exploitive) whereas the Government Services sector faces a broader mix of exploitation
and disruptive events (53 percent Exploitive, 47 percent Disruptive).

The only sectoral category where the relative frequency of exploitative and disruptive events is
roughly the same as in the entire data set (70 percent Exploitive, 30 percent Disruptive) is the
“other” category. The relative frequency within most sectors is significantly different from the
average distribution. This highlights the importance of assessing risks on a per industry basis
instead of applying general guidance about what types of cyber events are most common.

Lastly, the categories of cyber events are also found to vary between sectors. Table 1 highlights
all cyber events, by share, drawing out some interesting differences. For example, while
Accommodation and Food Services represent only 4.8 percent of all cyber events in the dataset,
that sector accounts for over 36 percent of all Exploitation of Sensor events, well above the
average rate of 3.8 percent. This observation draws attention to the heavy targeting by hackers of
PoS devices used by fast food restaurants and hotels. The same sector is under-represented for
Message Manipulation events. Only 3.4 percent of the events it experienced fell in this category,
compared to the average of 17.9 percent for all sectors.

Differences between sectors in the frequencies of different types of cyber events likely reflect
differences in attacker motivations, vulnerabilities, and benefits that can be obtained through
different types of exploitation of data disruption of key organizational services. For example,
Government Services suffers more Message Manipulation and External Denial of Service event
types, whereas it does not see many Application Server events. A review of specific incidents in
the dataset reveals a large number of attacks against websites aimed at promoting a political
message. These attacks are often exploiting misconfigurations and can be automated thereby
promoting larger numbers of events, whereas exploitation of applications might not occur as
often if the information exploited requires greater effort by the hacker to achieve their goals.

Conclusion

Having an easy-to-use taxonomy that provides an exclusive, exhaustive, and consistent way to
differentiate the primary effects of cyber activity will help organizational leaders and policy
makers have more sophisticated discussions about the different types of threats they face, and the
appropriate risk mitigation strategies. The taxonomy presented in this paper and the analysis of
three years of publicized cyber event data highlights variance in scale, effects, and method.
Differences in the types of disruptive or exploitive attacks directly inform organizational leaders
on both the range as well as concentration of effects they might face. By disentangling tactics
from effect this classification provides a first step in creating a framework by which
organizational leaders can categorize and assess the most consequential forms of cyber attack
they might face. Additional work to measure the impact of specific attacks would allow
organizations and governments to adequately plan for the types of threats they are most likely to

Classifying Cyber Events: A Proposed Taxonomy 13

face, and invest in the technology, training, and processes needed to defend against the most
consequential forms of attack.

Understanding the variation of effect by industry allows organizational leaders to be more

focused on defensive strategies, resiliency measures, or training programs that address specific
effects they are likely to face, rather than interpreting vague guidance by experts or by
purchasing technical solutions that might not be as useful for the threats they face.

About the author

Charles Harry is a senior leader, practitioner, and researcher with over 20 years of experience in
intelligence and cyber operations. Dr. Harry is the Director of Operations at the Maryland Global
Initiative in Cybersecurity (MaGIC), an Associate Research Professor in the School of Public
Policy, and a Senior Research Associate at CISSM.

Nancy Gallagher is the CISSM Director and a Research Professor at the School of Public Policy.

Classifying Cyber Events: A Proposed Taxonomy 14

 Table 1: Cyber Events by Type and Industry Sector

Classifying Cyber Events: A Proposed Taxonomy 15

References

Bedford, D. (2013) “Evaluating Classification Schema and Classification Decisions”. Bulletin of

the American Society for Information Science & Technology, Vol. 39 Issue 2, p13-21

Cimpanu C. (2016) “Iranian Hacker Defaces IWF Website Following Controversial Rio
Olympics Decision” Softpedia News http://news.softpedia.com/news/iranian-hackers-deface-
iwf-website-following-controversial-rio-olympics-decision-507436.shtml

Choo, K. (2011). “The cyber threat landscape: Challenges and future research directions”
Computers & Security, 30(8), 719-731. doi: http://dx.doi.org/10.1016/j.cose.2011.08.004

de Bruijne, M., van Eeten M., Ganan, C., Pieters, W. (2017). “Towards a New Cyber Threat
actor Topology: A Hybrid Method for the NCSC Cyber Security Assessment” Delft University
of Technology https://www.wodc.nl/binaries/2740_Volledige_Tekst_tcm28-273243.pdf

Filipkowski, W. (2008). “Cyber Laundering: An Analysis of Typology and Techniques”

International Journal of Criminal Justice Sciences, Vol 3, pgs 15-27

Gruschka, N., & Jensen, M. (2010). “Attack Surfaces: A Taxonomy for Attacks on Cloud
Services” Paper presented at the IEEE CLOUD

Hansman, S., Hunt R., (2005) “A taxonomy of network and computer attacks”. Computers and
Security, Vo.l 24 Issue 1, p 31-43

Harry, C. (2015) “A Framework for Characterizing Disruptive Cyber Activity and Assessing its
Impact”, Working Paper, Center for International and Security Studies at Maryland (CISSM),
University of Maryland

Harry C. & Gallagher N. (2017) “Categorizing and Assessing Severity of Disruptive Cyber
Events” Policy Brief, Center for International and Security Studies at Maryland (CISSM),
University of Maryland

Howard, J. and Longstaff, T. (1998) “A Common Language for Computer Security Incidents,”
Technical Report, Sandia National Laboratories

Jiankun H., Hemanshu R., and Song G. (2014) “Taxonomy of Attacks for Agent-Based Smart
Grids” IEEE Transactions on Parallel and Distributed Systems, Vol 25, No 7

Kjaerland, M., (2005) “A taxonomy and comparison of computer security incidents from the
commercial and government sectors”. Computers and Security, Vol 25 pgs 522–538.

Kjaerland M. (2005) “A classification of computer security incidents based on reported attack

data” Journal of Investigative Psychology and Offender Profiling. Vol 2, Issue 2 pgs 69-146

Classifying Cyber Events: A Proposed Taxonomy 16

Koerner, B. (2016) “Inside the Cyberattack that Shocked the US Government”, Wired, October
2016. https://www.wired.com/2016/10/inside-cyberattack-shocked-us-government/

Krebs, B. (2016) “Malware Infected All Eddie Bauer Stores in US and Canada”, Krebs on
Security, https://krebsonsecurity.com/2016/08/malware-infected-all-eddie-bauer-stores-in-u-s-
canada/

Lamothe, D “U.S military social media accounts apparently hacked by Islamic State
sympathizers” , http://www.washingtonpost.com/news/checkpoint/wp/2015/01/12/centcom-
twitter-account-apparently-hacked-by-islamic-statesympathizers/, Washington Post, January
2015.

Lee, R., Assante, M., Conway, T. (2016) “Analysis of the Cyber Attack on the Ukrainian Power
Grid”, Sans Institute,. https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf

Lough, D. (2001) “A Taxonomy of Computer Attacks with Applications to Wireless Networks,”

PhD thesis, Virginia Polytechnic Institute and State University

Matthews, L. (2017) “NotPeyta Ransomware Attack Cost Shipping Giant Maersk Over $200
Million”, Forbes https://www.forbes.com/sites/leemathews/2017/08/16/notpetya-ransomware-
attack-cost-shipping-giant-maersk-over-200-million/#40970b504f9a

Mirkovic, J., and Reiher, P. (2004) “A taxonomy of DDoS attack and DDoS defense
mechanisms” SIGCOMM Comput. Commun. Rev., Vol 34(2), pgs 39-53

Ranganathan, S. R. (1957). Prolegomena to library classification. London: The Library

Association

Rege-Patwardan, A. (2009). “Cybercrimes against critical infrastructures: a study of online

criminal organization and techniques”. Criminal Justice Studies, Vol 22(3), pgs 261-271.

Reza, Ali (2016) “Anti-DDoS firm Staminus hacked, private data posted on line” , Hack Read,
https://www.hackread.com/anti-ddos-firm-staminus-hacked-private-data-posted-online/

Saini, A. Gaur M.S, Laxmi V.S (2015) “A Taxonomy of Browser Attacks”, Handbook of
Research on Digital Crime, Cyberspace Security, and Information Assurance 2015 p. 291-313

Simmons, C., Ellis, C., Shiva, S., Dasgupta, D., & Wu, Q (2009). “AVOIDIT: A cyber attack
taxonomy". University of Memphis.

Woolf, N (2016) “DDoS attack that disrupted internet was the largest of its kind in history,
experts say.” Guardian https://www.theguardian.com/technology/2016/oct/26/ddos-attack-dyn-
mirai-botnet

Zetter, K. (2016) “Inside the Cunning Unprecedented Hack of Ukraine’s Power Grid”, Wired,
https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/

Classifying Cyber Events: A Proposed Taxonomy 17

Zhu, B. and Sastry, S. (2017) “SCADA-specific Intrusion Detection/Prevention Systems: A
Survey and Taxonomy”, Department of Electrical Computer and Security Engineering,
University of California at Berkeley. Berkeley, CA

Classifying Cyber Events: A Proposed Taxonomy 18